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A SECURE AND FLEXI8LE MODEL.OF: PROCESS INITIATION 
FOR A COMPUTER UTILITY* 


by 


Warren Alan Montgomery 


ABSTRACT 


This thesis demonstrates that the amount of | sribtwntea privileged code 
‘related to process initiation in a computer utility can ‘be greatly reduced by 
making process creation unprivileged. The creation of processes can. ‘be 
‘controlled by the standard mechanism for controlling entry to a domain, which 
forces a new process to begin execution at a controlled ‘location. Login of 
‘users can thus be accomplished by an unprivileged creation of a process in the 
potential user’s domain, followed by authentication . of the | user by an 
unprivileged initial procedure in that domain. 


The thesis divides the security constraints provided: by a computer 
utility into three classes: Access control, prevention of unauthorized denial 
of service, and confinement. We develop a model that. divides process 
dnitiation into five independent fubhotions: © 1 ss" creation, ~aomatn 
changing, resource control, authentication, and environment. initialization. 
We show which classes of security constraints depend “on each of these 
functions and show how to implement the funet ons aun Koa these. are the only 
dependencies present. ; 


The thesis discusses an inplenentatted: of pfécess initiation for the 
Multics computer utility based on the model. The major problems encountered 
in this implementation are presented and discussed. — ‘We show that. this 
implementation is substantially simpler and more flexébie'than “that used in 
the current Multics system. 


*This report is based upon a thesis of ‘the’ sate title submitted to the 
Department of Electrical Engineering and Computer Science, Massachusetts 
Institute of Technology, on May -13;' 1976°4n° pairt?al Tulftriment of the 
requirements for the degrees of Master of Science and Electrical Engineer. 
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CHAPTER 1 


INTRODUCTION 


1.1 The Problem. 


Proce 
suppo 


funct 


1) 


2) 


3) 


4) 


5) 


This thesis is concerned with process initiation in a computer utility. 


ss initiation consists of all those functions that are performed to 
rt the creation of processes. In the Multies “computer utility, these 
ions are: | 
Process Creation: The addition of a new process to the set of processes 
being managed by the system. 
Resource Control: The assignment of resources. (CPU. cycles, memory 
pages, and the use of I/0 devices) to a. new process. 
Authentication: The identification of the user who will control the new 
process. 
Domain Changing: The assignment of a Principal ID, which will be used 
in determining the aiecuee’s eacens to objects in the file system, toa 
new process. | | 
Environment Initialization: The initialization of eeonaninie needed to 


support the computation performed by the new process. 


As can be seen from the above list, process initiation includes:a wide 


variety of functions. Some of these functions -must enforce security 


constraints, while others are unrelated to security. In the Multics computer 
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utility, and in many others, the mechanisms hat implement the functions that 
we include in process initiation. are poorly .organized and heavily 
interdependent. Tris interdependence not only makes all of these mechanisms 
more difficult to prove correct, but-aiso. makes the security of the computer 
utility dependent on a larger set of mechanisms than the minimum set that is 
necessary to implement the desired security constraints. 

The primary goal of this thesis is to devise an organization for the 
mechanisms that implement process initiation that is simple and minimizes 
unnecessary dependefiCties. New mechanisms will be developed to seipate some of 
the functions listed above in that organization. 

A second goal of the thesis is to produce an organization for process 
initiation that can easily be used for any situation in which processes must 
be created for users. Processes) are a powerful tool for structuring 
computation and a process initiation mechanism that is simple and inexpensive 
encourages the use of processes. An implementation of. process initiation for 


_the Multics computer utility will be used to test the proposed organization. 


1.2 Method of Attack. 

| We will be goat dutensated in reducing the number of mechanisms on which 
the security of the computer utility depends, and in reducing the complexity 
of those mechanisms. We extend the notion of a security veenad {Se75] to a 
kernel with governed layers. Each layer is se aponnanie for enforcing a 
different set of security constraints. All ee kive-gacnawiean that must 
funetion correctly to enforce a particular set of constraints ie inside of 


the kernel layer for that set. 
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The principle of least privilege [sa75] is used as a guide to determine 
the functions that are implemented in each kernel layer. This principle 
states that each mechanism should be given only those privileges needed to 
perform its function. Thus, each kernel layer should contain only those 
mechanisms needed to enforce the security constraints for which that layer is 
responsible. The principle of least privilege reduces unnecessary 
dependencies. | i. 

Another important structuring technique used in this thesis is to 
implement each function with a small program module, ‘and to minimize the 
interactions between modules. By clearly defining the function performed by 
each such module, we make each module easy to verify. By minimizing the 
interactions between modules, we make the structure of the system simple and 
thus easy to verify. 

An important goal of this thesis is the minimization of common mechanism. 
By this we mean making the set of mechanisms on whith all users must depend as 
small as possible by removing mechanisms that don‘t need to be shared and by 
simplifying those that remain. Such common mechanisms must be included in the 
security kernel. Any mechanism that a user need not depend on need not be 
certified, as a user who is not satisfied that such a mechanism is correctly 
implemented ean avoid using it. The structure presented _ for process 
initiation in this thesis has very little mechanism on which all users must 


depend. 
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1.3 Results. 

‘This. thesis demonstrates that the security kernel of a computer utility 
can be simplified by making process Sedtaon unpiteiiened: The authorization 
for process creation is provided by “the dounin’ onehaiag mechanism, which 
forces anew process ‘to begin execution at a “eontrolied: iecations. An 
unprivileged process can thus be used to create a apoedes for a potential user 
in that user’s domain. Authentication of the user is performed by an 
unprivileged initial procedure iy that domain: The remainder of this section 
describes these results in somewhat greater detail. 

A security kernel with three layers is used in the thesis. The layers 


provide: 


1) Access Control: Restrictions on tne operations that . processes can 
perform on objects. 
_.., 2) Prevention of Unauthorized Denial of Service; (A guarantee that each 
user receives a fair, share of the available resources. 
3) Confinement. A guarantee that,..information. stored in the computer 
utility is released only to users who. are authorized to see that 


information. 


The thesis partitions process. initiation into the five functions 


changing, and environment initialization. Each function is implemented in the 
kernel layer that provides the least privilege required to perform that 
funetion. The thesis considers three of the functions (domain changing, 


authentication, and resource control) in detail. 
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The domain changing mechanism for process initiation, which | controls a 
newly created process’s access to objects, must perform a similar function to 
that of mechanisms used to control the calling of protected subsystems. The 
desired characteristics for a domain changing mechanism that will serve both 
purposes in an access control list oriented system, _ Such as Multies, are 
presented and discussed. We present several] domain changing mechanisms that 
ean be used for both purposes. | 

The thesis shows that authentication can be removed = from the access 
control and herielc of service layers of the kernel. — This removal .can be 
accomplished by allowing es user to select his own authentication 
procedures. The thesis also shows how authentication can be removed from the 
confinement layer by allowing different authentication mechanisms to guard the 
release of different pieces of confined information, 

The thesis also presents the concept of authentication forwarding, which 
allows information obtained through authentication to be shared in a secure 
way. Authentication forwarding is a natural model for dealing with 
authentication information. Authentication forwarding allows processes to 
make use of authentication procedures performed by the system without forcing 
every user to be dependent on the correctness of such procedures. | 

The test implementation of process initiation done for the Multics 
computer utility demonstrates that the functionality of process initiation 
provided by Multics can be achieved with a much simpler structure than that 
currently used. The implementation also makes the set of programs that must 
function correctly in order to enforce a particular security constraint much 


easier to distinguish. 
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1.4 Thesis Plan. 

The first three sections of this chapter have provided a brief overview 
of the work done in this thesis. The remainder of this chapter jiwausaes 
previous work in the areas of computer security and anooess initiation. 


The second chapter presents the model for computer protection mechanisms 


that is used in this thesis. This model is used to define wore precisely the 
notion of a layered security kernel, and to define clearly the lagers used: in 
this thesis. The ffive functions of process initiation are described, and each 
function is assigned to a layer of the cereci wocsedane to the privileges 
required to perform that function. | pe | 
Chapter three considers the problem of authentication. We show that 
authentication fakis’ outside the aceess control and denial service Levers: of 
the kernel in our protection model, aha show how to remove authentication from 
the confinement layer. We present the concept of authentication forwarding, 
and discuss the functions ia ase be performed by an authentication 
forwarding mechanisn. | 


Chapter four considers the problem of resource control. We discuss the 


issues involved in performing resource control, and show how many policies of 


resource control can be implemented by programs executing in an environment 

that does not provide ‘privileges that would allow those programs to violate 

“the constraints provided by the access gontrol ayer. | 
Chapter five presents four mechanisms for authorizing domain changing. 


Properties of domain changing mechanisms desirable for process initiation and 
protected subsystem calling are discussed. The advantages and disadvantages 
of each of these mechanisms are evaluated, before choosing the mechanism used 


in the test implementation. 
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Chapter six discusses an implementation of process initiation for the 
Multics computer utility. A brief description of Multics is presented, with 
special emphasis on the properties of the current process initiation. scheme. 


We describe an implementation of process initiation for Multics based on our 


model, and show that that igpiementetion 1s substantially simpler than the one 
currently used. A more detailed description of the implementation appears in 
Appendix A. rr - : 
Chapter seven evaluates the usefulness of _the model in structuring 
process initiation. The model is compared with two abaaenqeceeae initiation 
schemes in three situations in which a process is created. The chapter 


summarizes our conclusions about the model and discusses topics for further 


research in process initiation. 


1.5 Related Work. 

This thesis draws heavily on previous work on computer protection 
mechanisms. The concept of protection domains introduced by Lampson [Lavy] 
forms the basis for the access control scheme used by this thesis. The design 
of a confinement mechanism for the Pheaie-was influenced by much previous work 
on the confinement problem [An74,Be73,La73,Ro74,Sc75.We69]. The domain 
changing mechanisms of Jones [Jo72] and Schroeder [Se72] strongly influenced 
the design of the mechanisms for authorizing domain changes in the thesis. A 
study of these two theses first lead to the idea that process creation could 
be made unprivileged. 

This thesis is part of a research effort described by Schroeder [Sc75] by 
the Computer Systems Research group of the M.I.T. Laboratory for Computer 


Selence to simplify the security kernel of the Multics computer utility. The 
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Multics system {or72] is ideal for such study because it contains 
sophisticated hardware and software protection mechanisms. Some recent. theses 
[Br75,Ja74] have shewn that various fiactions could be removed from the 
security kernel. Other work (Be73, Re76, AuT6) has Semistrated that the 
security kernel car. be scbatantiatty simplified by structuring the functions 
that it performs.. This thesis shows that some of the functions of process 
initiation can be removed: from the kernel, and presents. a structure that 


simplifies those thet remain. 
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CHAPTER 2 
‘A MODEL FOR PROCESS INITFATION 


i 


In this chapter, we show how te Creo progess initiation ina ‘secure 


computer utility. First, we define more precisely what - meant in this 
thesis by "secure", by defining ‘three agian goals. _ We then examine briefly 
the nadnunisue used to enforce those security gare to see how they interact 
with process "initiation. We show that the security goals can be enforced by a 
security refined. with three layers. Finally, we examine each of the | five 


process initiation ‘functions and : show dn which saver of the. kernel each 


function should be pcan tage 


2.1 Security Goals.. 


In this section, we define three security goals for a computer utility: 


1) Access Control - The control of the operations that ean be performed on 
objects in the computer utility. ' . 

2) Prevention of Unauthorized Denial | of Service - A guarantee that 
authorized operations can avtially be performed. 

3) Confinement - The seavention of the release of information stored in a 


computer utility to users not authorized to see that information. 
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Aecegs Control. 

As stated abeve, the goal of access control is to provide control of the 
operations that can be performed on objects. Sueh control allows the user or 
users responsible for an object to-protect the integrity of that object. To 
provide access control, we use the conespt of protection domains [La74]. 

Each process in the computer wcas dey is associated with a protection 
domain by a process-domain binding, a binding sidhe: in a systen-wide eonvext. 
The domain of a process. determines the “operations that that process. can 
perform on objects ‘in- the computer utdiity. The ‘domain of a eres 
represents the authority responsible for the sotiei vies of that - process. 

The details of how the ‘aperations that a “process ean “perform are 
determined from the domain of the process are not important in this GHAR Yet: 
We can imagine that there is a two-dimensional seid which for ao. domain 
and object specifies the operations that a process pi that Achaia can eee a 
on that object. -In chapter five, we consider access control’ mechanisms in 
greater detail. 

In order for such an access control mechanism to provide Brotectson for 
objects, the association of a process ital a domain must eee controlled. If a 


user could obtain control of a eroceae in any: Romain: then the access aonepet 


mechanism could not deny that user the use of | any "object. This thesis refers 


4 
gts 


to the problem of authorizing changes in the process~donain binding as domain 
changing. Domain changing is described in greater detail ina later section 


of this chapter ‘and in chapter five. 
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Prevention of Unauthorized Denial of Service. 


The goal of prevention of unauthorized denial of service is to keep one 


user from interfering with the use of the computer utility by other users. 
One common example of denial of service sonine when a user can exploit a flaw 
in the operating system of the computer utility to cause the computer utility 
to fail. Such a failure denies auegine ws all users while the system is 
restarted, and may cause work in progress at the time of the failure to be 
lost. 

Many less’ severe examples of denial of service exist. In some computer 
utilities, one user can capture ‘ sufficiently large percentage of the 
available computing power or memory, that ie use of the system by other users 
is impaired. In this thesis, denial of service generally refers to the denial 


of the right to use a process. 


Confinement. 

Simply stated, the goal of Gon ftrement is a provide eontrol over eene set 
of users who are allowed to observe a pROre. of information in the computer 
utility. (1) Confinement has been Gand to prevent the release of classified 
military information [We69]. Confinement has also been used to protect 
proprietary information that must be read by an uncertified program [Ro74]. 

There are two definitions of the confinement problem: message 
confinement anil total conf inenent: issinne- conbingnent (An74] consists of 


preventing the transfer of confined information to unauthorized users through 


ee ee 


(1) The term "piece of information" can represent a wide variety of things. 
It can mean the contents: of ‘an object such as a file, or the ‘name of an 
object, or even just the presence of an object. Any of these may eenvey 
information phat may need to be concealed from some set of users. 
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the operations performed on objects. Total eat tnement, donsiets of preventing 
‘the transfer of cofifined information to unauthorized users through any means, 
‘however slow or obscure, (This includes the boesee Ghannela of Lampson 
[La73], which transfer information through the observation of the use of 
shared resources.) The mechanisms discussed in the ‘ext section are intended 
to provide message confinement. In order €o provide: boiar confinement, the use 
of shared resources must be controlled 50 as te block tnferaation transfer 
through covert channels. Several researchers have proposed mechanisms to 
achieve confinement in a computer utility. | [an74,Be73, Ro74,Web9 ] These 
mechanisms all tag the objects in the computer utility with some indication of 
the confined information that they represent, and use me fags to restrict the 
/ 


distribution of information to users. thee are tus ways in which the tags 


have been used to provide confinement: 


1) The high water mark. [Ro74] In these mechanisms, each operation that 
modifies an object and may add confined information to that object. 
changes the tag of that object to reflect the confined cipovantion that 
could have been transfered. a ~ | | 

2) The *-property. [Be73] In these mechanisms. an Gperataon that modifies 
an object. is not allowed unless “that: object. is already tagred as 


containing any confined information that the operation could add. 


For this thesis, the second type of mechanism is chosen. Rotenberg 
[R074] stows how the changing of the saps that occurs with the high water mark 
mechanism can itself be used to convey ‘egnfined information. It therefore 
seems extremely difficult to achieve total, _eonfinement uae. a high water’ mark 


mochatiea: 


Page 18 Chapter 2 


The . model of pout neRent used an this west tage each obsects RE oreess 
and user with a confinement set. A cOnP Se RenY net is a set of confinement 
attributes. Each confinement attrigute ds used | to represent some class of 
information, such as a military. pacursty. classification, or a proprietary . 
project. The confinement set of an etiteat identifies the confined information 
that that object contains. The confinement set!:.of. a pracess indicates the 
confined information that that process 1s allowédd’ to ‘observe. The confinement 
set of a user represents the information:that the user may observe. Three 


rules are used to enforce confinement: 


1) A process sd allowed to perfor an operation that “observes an object 
(i.e. one wbogs outcome depends on the sontents of the object) sig! if 
the confinement set of the object is a sigbsat of that of the process. 

2) A process! is allowed to penton an operation that modifies an obieet 
only sas the tont inement set of the obsect contains that of the process: 

3) A process can direct the ek oe of an. 1 object cae a user only, os ‘the 
confinement set of the user contains ene confinement set of the Bb ject 


and that of the process. 


These rules taken together enforce what is referred to‘elsewhere as the 
#-property. (1) 
Process initiation interacts with confinement in several ways. The 


process initiation mechanism must assign a confinement set “to each newly 
{ 


(1) Some mechanisms use a level and catégory set, similar to a military 
classification, to objects, processes, and users. ([We69]. By using one 
confinement attribute for each levél and’ each category, the mechanism 
presented above can be made to enforce the same constraints as a level and 
category mechanism. ‘The above mechafitsm was chosén'beeabSe the rules ‘(the 
*-property) are significantly simpler with this approach. 
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created process. ‘This assignment must be done in such a way that confined 
information is not released. The process initiation mechanism must also 
prevent the use of process creation as a signal to transmit information toa 


user who is not authorized to see that information. 


2.2 A Layered Securjty Kerne). 

The set of mechanisms that must function correctly in order. to provide 
security is known aa the .gecurity. kernel. One design goal for a secure 
computer utility is to make the set of mechanisma in. the .kernel small and 
simple, thus making the kernel easier to verify. The notion of a security 
kernel: can be extended to a kernel with several layers: Each dover of such a 
kernel includes all of the programs needed to enforce a different set of 
security constraints. | | 

| A kernel with multiple layers is useful because it indicates clearly the 
mechanisms capable of violating each security sone etaes The specifications 
for each layer of the kernel need not dnetade- any indication that that layer 
does not violate the security oonstratita povided ‘by leuer dayete: This 
reduction in specification simplifies the aa of verifying the kernel. 

In this thesis, we choose three kernel layers corresponding to the three 
security goals deseribed above. The innermost layer of the kernel provides 
access control, the second layer prevents denial.of service, and the outer 
layer provides confinement. The layers were.chosen to minimize the number of 
mechanisms that fall in each layer. 

The access control layer is placed below the denial of service layer 
because the denial of service layer can. make better use of the functions 


provided by the access control. layer than vice versa. The denial of service 
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layer must provide some form of access control in order to keep the actions of 
users from interfering with each other. The access paneroraagan need not 
prevent denial of service. (1) Thus if iis: nocess sentres. layer . 1s placed 
below the denial of service layer the denial of service layer can be 
simplified, as it ean make use of the access eontnel provided by the lower 
jagen: For this eres we place the access control layer below the denial of 
service layer. | 

The confinement lager is placed above the denial of service layer for a 
similar reason. The confinement layer must peecent sche types of denial of 
service.. A denial of service cannot be allowed to convey confined inforsation 
in violation of the *-property. For this reason, we place the denial of 
service layer below the confinement layer. | 

The layers chosen in this thesis are by no means the only choice 
possible. Other researchers [Be73] have chosen to place at the core of the 
kernel a layer that contains a simple access control mechanism that enforces 
the *-property for operations. performed on objects (message confinement). 
This layer does not enforce total confinement, as actions such as nantes foe 
service can still be used to convey confined information in violation of the 
*-property. These so-called covert channels [La73] can be used very 


effectively in many computer systems. 


(1) Interruptions of the processing done by the access control layer (either 
through denial of service or through failure of the’ hardware) must not result 
in the failure of that layer. 
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2.3 A Model for Progess Initiation. 


We now describe a model Pop. orosesn initiation ieshah Loma Sushi 
mechanisms change the set of processes, the. set of domains,. and the 
provess-domain binding. We want the tote to be as ) general as ROSSTH IE: so 
that it can easily be used for ane situation tn ok bresesrer must be 
created. _ _ a : 

Our model separates process: ance aeetOn: ee Five inatsons: siooese 
creation, domain changing: resource control, authentication and environ pment 


initialization. In this ahapted: we discuss: briefly what gach of these. 


functions does, and‘in which of ‘the kernel layers previously discussed each 
mechanism lies. Later shapters none iden some of these mechanisms in ee 


detail. 


Process Creation. he 
Process: creation consists. of creating: an. inttdai: ee state. . A 
process state describes: the charaeteristics-of a: process. A: process: state 
contains: the domain: of: the. process, the confinement set of ‘the . process. ‘the 
execution point of: the process,. the machine: registers of the process. sna 
deseription of. the: address. space of: the process. 
Because process creation alters: the process«domain:: binding, it must: be 
performed within the kernel layer that provides access control. A second 
reason for including process creation in the kernel layer for) access control 
is that each process may. at seaie pasne in its lifetime execute functions 
inside the access control layer. If the process state of such a process is 
not correctly initialized by process creation, then that process may not be 


able to perform those. functions oreperdy: 


Page. 22. Chapter 2 


Domain changing in this thesis really means the authorization of domain 
changes. The process creation mechanism actually makes the domain changes by 
altering the proces#—domain binding according to instructions received from 
the domain changing mechanism. The problem of authorizing domain changes has 
‘been extensively studied. Schroeder [S072], among others, concludes that a 
domain changing mechanism must insure that the first procedure executed by a 
process that enters a given domain is an acceptable initial procedure for that 
domain. This is the only function that the domain changing mechanism ~ must 
perform in order to provide sooess control. (1) Chapter “Ptve dicusses the 
details of controlling domain changing. 

The domain changing function’ must’ be performed inthe Kernel layer that 
provides access control. The domain changing function needs to alter the 
process-domain wnaine, and thus could violate aceess control constraints if 


not correctly implemented. 


Resource Control. 


The resource control function assigns hg: (eeachbona necessary to begin 
the dvecitien of a erred In the Multies computer utility, these resources 
consist of CPU cycles and memory pages, as sarkcas the chotee of whether. or 
not to allow a process to be created at all. The assignment of resources to 
processes is made according to a pedourtse® Gonteal policy that attempts to 


insure that each user receives a fair share. 


Senn nn ieeieninteneemnimeemeininemnmnetie paieneneenentnedandinateetmen eanemaentameeeedtsenneanemmte mmm mnaiemeameemmidmniamamemmeneeaemmamememen, 


(1) The initial procedure. can contro] the computation performed by the 
process, and thus prevent misuse of access rights or resources available to 
the domain. 
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Resource control clearly lies within the kernel layer for ee eonciad of 
unauthorized denial of service. The nesource pone) neghaniien can deny a 
user the right to create a process by refusing to allocate the pened 
resources. ‘In the design of many milpente “esulens.. the ewaouroe control 
mechanism also lies within the kernel layer thet provides aggess control. Tn 
‘chapter four, we show how the resource control function ean cea deplewanted 


outside of the access control layer, thus simplifying that layer. 


Authentication. 

An authentiaation mechanism is responsible for determining the identity 
of a user. If a user can control the operations performed by a process (by 
communicating with a command interpreter exeouting in that procesa), then ae 
user must be identified to insure that he is authorized to use the: domain of 
that | process. In the Multics computer utility, & process that is created to 
serve a user has an initial procedure that calls a command processor to give 
the user control of the process. The identity of the user is determined 
through authentication before the process is created. = 

In chapter three, we show how to Newove’ ‘authen€loation from all three 
layers of our security kernel. This momoval 46 accomplished bye al lowine each 
user to choose his own authentication mechanism. rel error in one aiser's 
authentication mechanism is no more serious than an error in any other program 
that that user chooses to call. Each user can protect himself from failures 
of the authentication mechanisms of bchar users. Chapter three describes how 
the three sets of security constraints can be provided without depending on 


authentication. 
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Environment Initialization. 


Environment initdalization consists of the initialization of aaonaiiens 
that support the execution of a process. In the Multics system, sivitonaent 
initialization includes the creation of certain working storage’ segments for 
the process, the initialization of error handling for the process, and the 
initialization of stream I/O for that process. Environment initialization is 
performed by the initial procedure of a process, and the procedures that it 
ealls. 

Environment initialization requires no special privileges because all of 
the functions that it performs are local to the process being created. 


Environment initialization need not be included in the security kernel. 


Summary. 

This chapter has presented a brief description of the five functions that 
are included in process initiation. Each function has been assigned to a 
layer of our security kernel based on the privileges required to accomplish 


that function. Table 2.1 summarizes these assignments. 
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Table 2.1 


Process Initiation Functions in the Security Kernel 


Function: K Layer: 
Process Creation Access Control 
Domain Changing Aceess Control 
Resource Control .Denial of Service 
Authentication (none) 
Environment Initialization (none) 
These assignments were made only on the basis of least privilege. The 


implementation ‘demeribea in chapter six shows that each of the functions can 
actually be implemented in the layer hear above, without undue sGribiesity: 
Such an implementation insures that each kernel layer contains the minimum 
number of process initiation functions. 

The next three chapters of this thesis explore three of these functions 
(Authentication, Resource Control, and Domain Changing) in greater detail. 
These chapters describe mechanisms that can be used to provide those functions 


in the kernel layers shown above. 
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CHAPTER 3 


AUTHENTICATION 


This chapter discusses how aurheuttoes fon is_ related _ to a pueeese 
rer ae The shapter begins with a etscusaion of the prapervres of 
aathextication mechanisms. These Properties shape ae attitude toward 
aubhenticatien. that is taken be this thesis. we ‘show that authentication need 
not be performed Oy the: pesurery kernel. We also present ene concept of 
au thentication forwarding, which can ve used to allow the sharing of 
information obtained through authentication. authentication PoRward se) can 
peduse the number of tines that a user must undergo authentication, by 
allowing ‘the DaPoruebion obtained from ‘the user ‘s first authentication to be 
shared among the preeenacs wae which is must communteate. 

In order to discuss Suthentseatton: a acd of how peers COmAUnS CELE. wert 
a computer utility 2s needed. ror this DUrPORe s we adopt the concept of a 
strean. We. use a atpaas 46 mepnenent a two-way ‘Gommuntoatcen channel. We 
refer to the user who communicates hae “ae computer utdiity through a stream 
as the source of that stream. The time dune which a user is communicating 


with the computer utility will be refered ce asa session. 


3.1 Properties of Authentication Mechanisms. 
An authentication mechanism is a mechanism designed to determine the 


tdentity of an unknown wusér. “Such mechanisms usually require the user to 
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produce some piece af data (password, encryption key, etc.) that must match a 
value kept by the @emputer utility. Protection mechanisms enforce security 
constraints withim a computer utility, while an authentication mechanism can 


be used to identify users for the processeg: executing on the computer utility. 


se aemae eotcty Seda vant 3 
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Three important properties of authentication mechanisms are: 


a > eA 
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1) No authentication mechanism is “perfectly reliable. a “authenteation 
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mechanism identifies a user by a sequence of bits Coasaword or encryption 
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key) ‘supposedly enoun caly be that user. Dacause. any user can produce such 
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a sequence, any such mechanism can be fooled into misidentitying a user. 
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2) A security « conscious | user can always devise “an authentication mechanism 
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that 4s more reliable than & a system provided authentication vechanisn. ‘The 
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bet iss rgasntua wnobkteobingttus dauovedt barton 
: probability that a user “will be ebis to fool an authentioation mechanism oy 
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guessing the password or fey: as cbaaned as the length of the password or Cee 

BU webaeads itu destd 2 teeu ad’ mowt bentsido athdsmigiss ans aeilwoi cg 
is ipopaased. me a security Saarinen user can overs ereaeer 
shoumtce dane od dofnw dtiw aseevootp gol moos oso 


dumereniaid Be using ‘a longer saseucrd: ‘or key, at he expense oF having to 
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3) Bach use “of an ‘authentication mechanism peleieas information that aids an 
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Carosten in determining the password or key. In general, the stream 
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through which ‘a “User communicates with the computer utdlity passes ‘through 
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some “Taseoure channel (such as a telephone line) that an intruder may be 
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able to monitor. “Bick ye tion based schemes are less vulnerable to such 


cy 


monitoring than password schemes ey: tn gilgolt netgeotdnsdics 20 cyl: 
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oy «These three, properties influence. theway in, whiek tals thesis deals with 
authentication. Points one and two suggest that it is not necessarily 
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desirable for all users to rely on one system-wide authentication mechanism. 
Such a eachanian cannot be guaranteed always to make correct identifications, 
and no matter what mechanism is used, a better one always oan be found. 

Point two suggests that different syens: aight want to use different 
authentication mechanisms. Different users have different security 
requirements and thus some users might be willing to spend a great deal (in 
terms of extra communication, extra computation, and the overhead of 
remembering more information) to insure that they cannot be impersonated. All 
of the users of the computer utility might wok jane ke pay the cost of the 
security requirements of these few. - | 

Point three saps that authentication should be performed only when 
decceuaey: Thus the results of suthent teat ion should be remembered, so thiat 
each new process or domain that siccibedts a stream does not necessarily have 
to perform authentieat ion. Authentication Forwarding is introduced to provide 


this memory. 


Authentication and Security. 


In this section, we examine how authentication must be used to enforce 


the security constraints of our three kernel layers. = 


1) Access Control. 

The innermost layer of our kernel is responsible for providing protection 
for objects in the computer utility. The definition of the security provided 
by this layer of the kernel was carefully chosen to avoid the notion of a 
user. This layer of the kernel insures that objects can be accessed only by 
authorized domains. This constraint can be enforced without using 


authentication to identify users. 
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By ensuring that a process can enter a domain only through a controlled 
initial procedure » we allow the initial procedure to guard the domain. The 
initial procedure gan authenticate a user before allowing that user to control 
the process. . 

| In many computer utilities, each user is sithentiodted soon after he 
contacts the utility. An authenticated user is then allowed to change the 
authentication procedure to be used for future peasi one (by changing his 
password,) and 66 species fee ite terminal the operations that the computer 
utility will perform for him auntnw the ainkeat eset In the dgetontion 
used in this thesis, a user who contacts a douputer must choose an initial 
domain. He then must satisfy whatever dachentiea tion weohandas is used by the 
initial procedure of that domain. Even setae wleccnevad, authentication, #6 
initial procedure may impose limits on the spevatiens tat: will ber penaiimed: 
for the user. | oe . 

The organization used in this thesis allows a user who requires 7 high 
degree of security to specify his own authentication procedure in the initial 
procedure for the domain that he widl-use (as will be shown in chapter 5). It 
also allows for limited service users, a concept that has proved useful in 


current computer utilities. 


2) Denial of Service. 

Whether or not authentication is required to prevent unauthorized denial 
of service depends on whether the utility guarantees service to users, or 
whether it guarantees service to domains.. If a computer utility guarantees 
each user a fair share of the available resources, users must be authenticated 


to insure that one user cannot monopolize the: resources of the computer 


Page 30 Chapter 3 


UETESeS by requesting services from many vermyners simultaneously. ponain® 
can be guaranteed a fair share of the available resources by imposing 
restrictions on the resource use of procesens: The resource controller need 
not be aware of the fact that some of the processes are performing. operations 
on behalf of the users Se enacdonutet utility. 

The initial wibaedune of a domain can be: used to emgria the resources 
guaranteed to that domain to users, “thagh the same as “the initial EEL oeeeurs is 
used to insure that the access rights shanted to that Gomain are not abusec. 
The Multics computer utility uses a_ resource control scheme that aesrene 
resources to processes based on their principal ID. As we show in chapter 
six, this resource control scheme can be mniucing without velying on 


authentication. 


3) Confinement. 

Authentication is required in some form tn. order to achieve confinement. 
This is because the purpose of confinement 1s to prevent a user from obtaining 
information that he is not entitled'to. There are several ways in- which 
authentication can be ineorporated into the -mechanism that enforces 
confinement. 

One way to provide. confinement is to authenticate ‘each user who contacts 
the computer utility and to Ansure that each process with which the user 
communicates has a confinement set that is smaller - than that of the user. 
This scheme has the disadvantage of ‘system-wide authentication schemes 
mentioned before, namely that it does not allow different authentication 
mechanisms to be used for different: users with’ different security needs. 


t 


Because different confinement attributes proteet different information, it is 
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likely that some of that information is more savhenie-thad tie rest and 
therefore a user should be forced to Saas a meee rigorous authentication 
before gaining access to suek information. The following scheme allows 
different authentication mechanisms to be ised to obtain different confinement 
attributes. | | | . 

Bach terminal that contacts the computer utility is Anitdaly assigned an 
empty Snetnoment set. A process that wishes to Spemuntcave with a terminal 
may aiacevak that it cannot do so Seowuse the confinement. set of the terminal 
does not contain the Sontinewent set of the process. The process must call on 
an authentication mechanism to identify the gece at bie tepninal. After the 
authentication mechanism has identified the user, it Shanes the Sonrthewent 
set of the terminal to include the confinement set of the authenticated user. 
Each authentication mechanism is only authorized to supply some of the 
possible . confinement attributes, so that different authentication mechanisms 
can. be used to grant different confinement attributes. — 

_ This scheme also has the advantage that the responsibility for devising 
and maintaining the. . authentication: mechanisms can be distributed among the 
users who wish their information to be protected by confinement. The-computer 
utility need only provide some means of allocating. the confinement set 
attributes and establishing the authorized: authentication mechanisms. 

The major disadvantage. of the above soheme is that a user with a large 
confinement sets may have. to be. authenticated several times during the same 
session in order. to obtain access to.ail of the information that he needs. 
Current applications of confinement mechanisms do not tend to have users with 
large confinement. sets. Also, a user rarely ‘needs access to all of the 


information that he is potentially entitled to in any one session. Making it 
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awkward or costly for a user to obtain access to at of the anf ohmat ton that 
he could potentially see may have the beneficial effect ‘of gneounaaine each 


user to obtain only the privileges that he needs ea his current aa 


Encryption. 


Much recent work on authentication has been devoted to the developement 
of authentication mechanisms besed. on encryption... Such schemes have the 
advantage over passwords that the sensitive identifying information (password 
or encryption key) is not sent through the. stream, and thus is less vulnerable 
to being stolen. Some of the protocols require that each process that talks 
to a stream know the. encryption key for that stream, The scheme developed by 
Kent [Ke76] uses. one key for authentication: and one -key to. provide . secure 
communication throygh the stream once authentication has been performed. The 
second key must be known. by each process .that Ssumileaten with the stream. 
The authentication forwarding mechanism described: below is well suited for the 


distribution of such keys. 


3.2 Authentication Forwarding. 


We say that a process’ that relies on ‘s previously performed 
authentication to determine the identity of the sounos of arstnean is using a 
rwarded authentication. “Thus in nosy computer systens, where a system-wide 
mechanism authenticates users when they first Sontact the Scatek: each process 
relies on a forwarded authentication (from the system-wide mechanism) for the 
source of the stream from which it Seiiin-doumabie: 2 | 
Forwarded authentications are a very common phenomenon outside of the 
computer utility. Identification cards represent forwarded authentications. 


Anyone who determines the identity of a person from an identification card (or 
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driver’s license or credit card) is actually welying on the authentication 
performed ae the Disuse of the card. “Unfortunately, identification ands can 
be lost, stolen, or foedea: Forwarded aathentteaticas maintained inside a 
computer utility can be protected, making them unforgeable and unstealable. 

There are two facts that any process using a forwarded “authentication 
must know: . The olaimed identity of ‘the ‘uzer’,;> and ‘the authentication procedure 
used. Both. of these facts. can ‘be. provided’ by allowing a process that 
performs authentication to record securely the éentity “determined for the 
user. In order to allow ‘the authentication mechanism used to be determined: 
‘sufficient. information to identify the auther of each forwarded authentication 
must also be. recoriled,.. Width our:- model, 9: the’ necessary’ information “is the 
process, domain, -mnhd’ procedure: that’ recopdeds¢ne resitl taf ati’ authentication, 
and. the time of recording.:. This information: allews: a:process that uses a 
forwarded. authentication to identify the aithéntteation mechantam used, just 
as the distinctive format of an identification card allows the issuer’ of the 
card to be identified. 

Identification cards Some lames pe cene: Anvalid, | due to changes An the 
inforaation that they. contain. In the computer utdiity, a change in the 


source of a  atread | invalidates previous authentications for that Stream: The 


computer utility Sanne always | detect each case in which the source of. a 


pik wate a yee 
SEE te i eae 


strean changes. a In ‘the case of streans vitae finite ‘Lifetines, such as 


ptt e Boer ad 


fciephote or other eewore: connections, ‘the computer utility. can detect when a 


user’s stream has been disconnected, and ‘should forget any authentications 


(1) One case in which: it’s difficult: to detect @ ‘ctisngé in“ the ‘source of a 
stream occurs when a user walks away from a terminal and a second user takes 
over without either one informing the computer utility of the change. 
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performed for such a strean. The authentication forwarding mechanism should 
delete the forwarded authentications for a atraaa “when that stream is 
disconnected. A stream can ties disconnected and neconnested Betwesk the Tea 
wnen a process performs an aiithentioation and the time when that shiaess 
records the authentication, leading to an Lagoineot forwarded na tieatioation: 

One solution to this problem is to have the Shaputer utility Sadrtein « 
count of the number of times that a stream has been connected. The process 
performing authentication can. then obtain this eonnection count before 
performing authentication and present the connection count . to ine 
authentication forwarding mechanism along with the forwarded authentication. 
The authentication forwarding mechanism can then obbain:thecounrent connection 
count in order to determine whether or not the forwarded authentication is 
valid. The connection count is used as the. eventcounts of Kanodia and Reed 
(Ka76]. 

A forwarded authentication for a stream is useful only to the processes 
that can read from or write to that stream. It therefore seems desirable to 
allow only. those processes that can read or write, a stream to .read the 
forwarded authentications for a stream. We also allow only those processes 
that can read from a stream to. record. forwarded authentications for that 
stream. These restrictions allow the Lnbieenubiinty 46 limit the resources 
expended in keeping forwarded authentications, by limiting. the number of 
authentications kept for each stream, without .allowing. one process. to 
_ monopolize these resources by recording forwarded authentications for streams 
that it canfiot use. The above restrictions are not necessary for security 
reasons, because the information recorded with a forwarded authentication 


identifies the author of that authentication and prevents forgery. 
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We must, however, keep authentication forwarding from becoming a covert 
channel for confined information. This can be done by ssatenine a sane inenent 
wat to each forwarded authentication and eerree the reading of forwarded 
authentications to obey the Woppepacey. Each forwarded aubhentteation is 


given the confinement set of its author. (1) 


3.3 Example. 

The following section shows how processes are created for users of a 
computer utility using the ideas on authentication of this chapter. The 
scheme described is compared with a more commonly used scheme for 
incorporating authentication into process creation. 

A user who contacts a computer utility for service informs the computer 
utility of his identity. Based on this identity, the computer utility selects 
a domain in which to create a process to serve the user. The computer utility 
may or may not authenticate the user to verify his right to use the requested 
domain, perhaps by demanding a password. If authentication is performed, then 
the result of that authentication is recorded as a forwarded authentication 
for the stream that represents the user’s terminal. A process is then created 
for the user, beginning execution in the chosen domain in one of the valid 
initial procedures for that domain. It is the responsibility of the initial 
procedure to determiné whether or not to serve the user. This decision could 


be based on the forwarded authentications recorded for the user’s stream. 


(1) An alternate scheme would be to give each forwarded authentication the 
confinement set of the corresponding stream. This scheme would not work well 
for a system in whieh the confinement sets of streams changed, such as the 
authentication scheme described above where a stream gains confinement 
attributes after its source is authenticated. 
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ce the user desires access to confined an oreateee ‘then he must make 
contact with a pEocens with the desired confinement set (either by specifying 
that his initial process be created with a noncnia confinement set, or by 
asking his initial process to try to change its confiuewen’ set or give his 
stream to some process with the desired confinement set). Such a process will 
discover that it cannot communicate with the user, and must select one or more 
authentication neohantanms to call on to identify bus user, depending on the 
attributes that the confinement set of the user's stream is aiasiin: Each of 
these authentication mechanisms in turn records forwarded authentications for 
the user’s stream, and some of these mechanisms may rely on authentications 
forwarded from others. | 

We contrast ‘this scheme with the authentication scheme used in most 
computer systems today, which uses a system-wide authentication mechanism to 
identify each user who eentacrs the system. An authenticated user can then 

create and control processes in any domain that he is authorized £0 use. 

Notice that the scheme presented in this chapter can be made to behave 
like the more common scheme (by performing authentication for all users who 
contact the computer utility, and having all initial procedures make use of 
the forwarded authentication from the system-wide mechanism). Thus a user who 
does not require a high degree of security need Rok generate his own 
authentication mechanism and can instead rely on the system-wide mechanism. A 
highly privileged domain, however, can be guarded by an arbitrarily secure 
authentication mechanism. 

One of the most important differences between our scheme and the more 
commonly used one is that the process that responds to a user who contacts a 


computer utility (called the listener, logger or monitor, in some computer 
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systems), needs no special privileges in order to create processes for users. 
We therefore can remove this process from the security kernel. This proses 
generally executes complex programs, because it must be capable of dealing 
with several users concurrently, and work with a large variety of ports on the 
computer. 

Notice also that several processes can be used to wait for users to 
contact the computer utility. Different processes can be used to respond to 
different types of streams (telephone connections versus network connections), 
and thus the complexities of dealing with a particular cape of stream can be 
isolated in one process. A utility with parallel processing capability may 
also want to make use of multiple: processes to increase the rate at which new 
users can be handled. 

In chapter six, we show how this authentication wehéiee ban be tasienented 
for the Multics computer utility. Chapters six and seven summarize the 


advantages and disadvantages of this scheme. 
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CHAPTER 4 


RESOURCE CONTROL | 


This chapter discussés how resource corntrol “is related to process 
initiation. We begin with a discussion of the issues involved in’ controlling 
resource use in a computer utility. We then present a set of operations 
through which the use of resources in the computer utility can be céntrolled, 
and show that the use of these operations Gan not Violate access control 
constraints. © The chapter concludes with @ discussion of the kinds of resource 
control policies that can be implemented using our set of operations, and the 


security constraints that can be violated through the use of these operations. 


4,1 Issues of Resource Control. 


A resource is a service provided -by the ‘computer utility. Thus resources 
ean include physical devices (1¥he printers, card readers etc.), abstract 
devices (virtual processors, memory pages, etc), or ° everi - programs “(matrix 
inverters, etc.). This chapter is most concerned with the resources needed to 
initiate a process. In Multics, these resources are the process itself. and 
the CPU cycles and memory pages needed to execute the initial procedure. 
Resource control consists of the distribution of resources to piboenaee: site 
recording the use of resources by processes for accounting. 

In this section, we present sone of the issues involved 4n the control of 
resource use in a computer utility. These | issues guide ‘the way in which 


resource control is included in the model of process initiation. We consider 
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two issues: The distinction between. mechanism and policy and the general 


scheme of resource gontrol used (hierarchical or central). 


Policy and Mechanisp. 

Recent research [Jo72,An74] has stressed the importance of distinguishing 
policies from the mechanisms used to implement those policies inside a 
computer utility... The separation of mechanism. .and. polioy is particularly 
important in the area of resource control. sinee different resource control 
policies may be suSina ues for different resources of the same... system. 
Different policies: may also be needed . for different | ana: A flexible 
resource control mechanism can implement a. wide variety of policies. 

This chapter is most. concerned. with the interface between mechanism and 
policy. The interface should be chosen. so that the mechanism can be 
implemented with a ‘small, simple, and easily vexitianie set of program 
modules. At the same time, the interface doula sunport « wide variety of 
resource control policies, without allowing, the violation of ascogss control 
constraints through. the use of the. operations provided by the interface. Such. 
an interface allows the removal. of the most. complicated. and variable portion 


of resource control (the poljiay.). from the access, control layer of the security 


kernel. 
Resource Control Philosophy. 


Two common approaches to resource control are the hierarchical and 
centralized systems of control. In the sent#alized ‘system, there is 3 central 
authority known as the resource gontroller that is " pesponsible for the 
assignment of resources to all processes. In the hierarchical scheme, each 


process is responsible for fulfilling the resource needs of the processes that 
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it creates. Thus each process acts as resource controller for its 
descendents. 
The hierarchical system has Ming advantage that the preston: of a _ process 


has more knowledge of +e anticipated resource | needs of that process than a 


“centralized resource controller, and ve oan, make a porter. decision of the 


resources to assign. The hierarchical system 1s also quite flexible because 
each process can implenent its own policy of resource control. 

However, the hierarchical scheme requires that each process that creates 
processes perform resource control. This duplication makes it difficult. to 
add a new type of resource, because several algorithns may need to be modified 


to deal with the new resource. In the central schene, only | the central 


_pesource controller need be modified to add a new type of resource. 


Duplication of mechanisms also increases the chance. of error. 

The hierarchical scheme does not. respoiiid well -to préeedses with erratic, 
time-varying resource’ requirements. Resoiirces assigned’ to meet a sudden 
demand by such a process may have to pass through ‘resdurce ebntrol algorithms 
in several processes. -These algorithiis’may be unwilling on unabie t8ddet 
such a demand. 

Another disadvantage of the hierarchical scheme is that it does not 
provide for a process and its creator to be mutually ‘suspicious. Each process 
must ‘trust its ‘creator to assign the resources that that Process needs. In 
turn, each process must trust its descendents not to waste their assigned 
resources by not performing the desired task. The centralized scheme does not 
share this difficulty, as each process 4 dependent ‘only on the central 
resource controller for its resources. A process. and its creator can be 


ee BEE 


mutually suspicious, because neither must depend on the other for resources. 
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A fourth problem with the hierarchical scheme is that 1t does not 
interact well with confinement. In a computer eed with iierarchical 
eontrol, the resources that. a process assigns ‘to its a desndents. can be used 
as a eovert communication channel’ to pasa: i batined ‘Me toseation. In addition, 
each process can signal information to ite oreater through its use of the 
asaigied’ resources.” Both “of tiene. ohennelé: ane difficult to block with the 
hierarchical resource control. if neither of the channele 1s blocked, then 


each process must be assigned the same ‘aoetaneuent eek: as its creator, so that 


neither” channel. can be used “0! ‘violate ‘confinement. Sueh ‘an ‘assignment of 


Qe OU ad a 2 § 
confinement sets ‘would: force Aig processes to have the same. confinement ats 


i set 


 Recausa mutual suspicion and focal inewent are ‘both: considered 1 Important in 


PEE DO 4) 
‘this thceis: ‘we “choose “Gentralised: eatESL. 


442. brigitive Operations for Resourse. Central. »- 

(38, this section, .we present.and digquas..a,set of. primitive-operations 
that enable a .centralized.,.authority..to .perferm..resouree. gontrel. These 
operations form the interface between mechanism.end poldey. d4gcussed above: 
We show that the operations do not allow the resource controller... to ..violate 
agcess control constraints, -hut do -allow.the nesouree controller to iaplement 
a wide variety of resource control paliales...... 296 pac gee 


We use the following set.of primitive onerations.for resource control: 


4) The resource controller will ‘te. ‘allowed ce contro ‘the “distribution of 
 ~‘pesources 6° ali processes. her hae edt getixc’ ; 
2) The repouitoe controlier will be allowed to monitor the use of all 


pesources by all processes. | 
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3) The resource sontroiter mart be net oved to obperve: a fixed ee. of 
paraneters of a proposed process “initiation: ,fsush,, as the initial 
procedure or donain), and veto the creation of a eipcess: 


4) The resource ‘controller will be allowed to destroy any sPECeEee 


The first of these operations is ene implement a resource 
gontrol policy... Different types of ‘control ard Héeded for “different 
resources. - Some resources, ‘such @s line printers or card readers, are 
assigned to a process for a relatively long ‘time peffod (minutes at léast): 
Primitive operations .that: allow ‘the resource controller “to assign such 
resources to processes should be provided. Some resources, ‘such ‘as ‘the“use of 
the CPU or memory, must be rapidly switcHed améng processes in order to 
provide rapid response to requests from users’: A smalt, ‘simple, and fast 
control mechanism is generally provided’ for ‘idt) F8bourods. “The resource 
controller: controls the. distribution of such’ Hesources” by spetiifying .to this 
control mechanism the set of processes in contention for’ the résource arid’ the 
priority. of each process... . | Py eae | 

The second operation allows the resouree’ controller to observe the 
resource use of each process: even if the actual ane eee of resources is 
made by a lower level acaba tea (as in the Ree of CPU cvolen, and memory 
pages described above). This primitive rine” the. nenource:.. controller to 
record resource use for apcounEa ne: | 

The last two operations allow the resource controler to contro the 
total number of eesecsnesy’ Each process may consume _ BRACE jn tables that 
contain the state of that process, and the eae of such space may be 


limited. The performance of algorithms for multiplexihe the available 
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processors and mesory among processes degrades as the number of processes 
dinereases. The resource control policy. of tie coacuter utility my therefore 
dictate that the number of prosesses be Limited. Another reason for limiting 
the number of processes is to Spovide good response to sudden changes in the 
wieeaunee requirements of pragesses. If the resources are divided among too 
many processes, it may be diffioult for the resource eéntroller to gather all 
the resources needed to meet a large demand-by one process. The resource 
controller is allowed to observe certain characteristics of each process that 
is created, so as to have some basis for deciding whether or not to allow the 
ereation of that process. 3 ean 
We now show that none of the four operations allows the resource 
controller to violate the access. control constraints of the kernel. This 
property allows a resource controller that. depends only. on the above 
operations in order to perform control. to ba Sieptiewented outside of the access 
control layer of the: kernel. 
There are three ways in which one of our primitives might violate the 


constraints of the access. contro]. layer: 3; 


1) It might perform an operation not authorized by the access control 
mechanism. | 7 | ee | . | 

2) It might alter the process-domain binding. 

3) It might change the share that detebatrios the operations that 
each domain can ‘perform on each object. “Cnt the case of Multics, the 


a poe 
access control lists.) 
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The first of the primitives panthers ‘the (aeaseament. of Presoyrces to 
procenses: The primitive does not alter the process -domaiy binding, nor does 
it alter the set of operations that each domain is allowed to. perform. Tt 
therefore tiie not violate the constraints of ne access control layer. C1), 

| The in seuyaticd of resource use clearly cannot alter access control 
information. It may, however, allow the resource controller to observe the 
objects being deed: by a process even if the domain of the resource controller 
does not authorize the Sesoiices controller to see those objects. This does 
not violate daces control, os hi process ean be compelled to give away. 
information in this mata It does, however, allow the resource controller 
is violate soutinsnen’, which is one reason that the resource controller is 
included in the kernel layer that enfonues confinement. 

The resource controller can change the -process-domain | binding, by 
rejecting a i senene creation request, or by destroying a process. The change 
does not, however, allow the resource controller to gain unauthorized access 
to ob jedtaz 

Thus the four operations do not allow the resource controller to violate 
the access control constraints of the kernel. They (0, , however, Give the 
seaounde: controller knowledge of the resource use of all processes, and total 
control of all resource allocation. These abilities allow a wide variety of 


resource control policies to be implemented. 


(1) We must’ be very careful, however, that ‘resource assignments do not affect 
the functioning of the access control layer. In a system with a distributed | 
supervisor, the withdrawal of resources may stop a process that ‘ts modifying 
access control information, and may leave that information inconsistent. 
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4.3 Lamitations on Resource Control Policy. 

There are limitations on the resource control policies that can be 
implemented with these primitives. As noted before, the “resource aeuteeitar 
does not know the identity of the useke who. USHErel the processes of the 
computer utility. Thus the resource controller carmot base resource 
allocation decisions on the knowledge of which user will control the process 
that receives the resources, We. <Blgpeated capitan” that the resource 
controller use the initial domain of a process to determine the resources that 
the process will receive. This buen satisfactory mabetitute in most cases, 

We have also made no provision for the resource controller to find out 
the details of the computation being performed by a S cpoaiae Allowing the 
resource controller to observe more about the saecutdon of a process makes tt 
more difficult for a process to conceal the contents of the sisenta: that it 
uses from the resource controller. Such observation may be need in order to 
4mplement some resource control policies, such as a policy that grants higher 
priority to a process when that process is performing certain tasks. The 
parameters that the resource controller is allowed to observe chen the needa 
is created may help the resource controller to determine the task that, a 
process performs, but they do not allow the peacance contbeiler to distinguish 


among several tasks performed in the same process. 


4.4 Security Limitations. 

There are also limitations on the security constraints that can be 
enforced without certifying the resource controller. Although we have shown 
that we can remove the resource controller from the kernel layer that 


implements access control, it is clear ‘that the four operations give the 
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resource controller the power to deny service, and thus must be in the kernel 
layer that prevents denial of service. We also saw that the operations allow 
each process to transmit information to the resource controller, and that the 
resource controller can transmit information to any process through the 
resources that it allocates. Because of these information channels, the 
resource controller must be certified not to violate confinement. 

A less obvious problem is that of revocation. The ability to revoke 
access to objects may be very important to the functioning of a computer 
utility. A denial of service can prevent a process from revoking access. 
Although this dees not violate the access control constraints (the right to 
revoke access is not guaranteed), it may cause inconvenience to the users. of. 


the system. 


Summary 

We have shown how a centralized scheme of resource control can be 
implemented with four primitive operaticns:” Sikes éperatiods allow a wide 
variety of resource control policies io! be implemerited. The primitive 
operations do not allow the resource controller, which implemerits thé resource 
control policy, to violate access control constrairts, Chapter six shows how 
the: complicated pencunsereontrss policy of the Multics computer utility can be 
implemented in this manner. This implementation substantially simplifies the 


access control layer of the kernel. 
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CHAPTER. 5 


MBCHANISMS FOR. AUTHORIZING. DOMAIN ‘CHANGES . 


This chapter considers mechanisms to acneetie. domain: changes: in ai 
computer utility. The: ‘chapter assumes 2 Iisteontented implementation of” 
‘access control, such as that of Maitics. [or72]. The mechanisms discussed: use: 
the access control ‘mechanism of the “computer utality to authorize domain” 
changes. Each mechanism is evaluated for use in authorizing process: 


x 


initiation and for use. ‘in ‘the calling of cpobicted. paputetees: 


5.1 Introduction. 

The domain changing ee ee needed in process initiation performs: 
similar functions to the mechanisms. needed. to authorize the:calling:of a: 
pratected subsystem. . We therefore desire: to have ‘one mechanism that will: 
serve for both. purposes... 

. The mechanisms. to be described. all. make: use of two special types of 
objects in the computer utility, - domain objecta:: and. domain gate objects. 
Access to, a domain gate object is required in onder to: create. a process: or’ 
call a protected subsystem, while access. to..a domain obgect: -is: required: for: 
the creation of domain gate objects. These. specdal.objeets: are used: because: 
the access: control mechanism of the computer utility can’ be used to authorize 
domain changes, just as.it is used to authorize operations performed on other 
types of objects. There is a unique identifier for each domain. that we refer 


to as a Domain Identifier (Domain ID). A Domain ID is used to designate a 
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domain in the same way that Saltzer uses a Principal ID to designate a domain 
(Sa75). Each Access Control List consists of a list of terma (ACL terms) that 
specify a Domain ID and a set of access rights. A process “s, aocess rights for 
an object are determined by the term of the, ACL for the object that matches 
the Domain ID of the domain of the process. _ The matching algorithm - used 
depends on the particular domain changing mechanism used. 

The remainder of this chapter describes four mechanisms to control domain 
changing. These mechanisms represent a. number | of ways to contro] domain 
changing using the access control mechanisms of the _ computer utility. They 
include mechanisms designed for process initiation and those designed for 
protected subsystem calls. Included in this set of mechanisms are mechanisms 
similar to those used by Jones [Jo72] and Schroeder [Se72] to authorize domain 


changes. 


5.2 Four Mechanisms for Authorizing Domain Changes. — 

I have named the four mechanisms to be presented Exact Specification, 
Partial Specification,  tast Component’ Specification, | and Aopending: 
Speciffcation. Exact Specification is the simplest of the four mechanisms. 
Partial Specification is slightly more complicated, but can be used to 
implement authorization schemes that allow ‘several authorities to share 
responsibility for a domain, such as the scheme used in the Multics computer 
utility [or72]. Last Component Speotfigation te similar to the mechanism. 
presented in Schroeder’s thesis to control ‘the, greation. and. calling of 
oretaated subsystems. [Sc72] Appending Specificatign 1s @ much more general 
mechanism that allows the entire call history of a. progess ta. be used in 


determining the access rights of that process. oes 
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5.2.1 Exact Specifiggtion. 

The first meghanism for domain entry eontrol to be discussed will be 
referred to as Exact Specification. Each domain change is authorized by a 
domain gate object. A domain gate object specifies a Domain ID and an initial 
procedure. A procegs makes a call toa Shoneduie tn another Peers by Oalline 
the “domain call" primitive (an operation provided by the seourity kernel) and 
passing it the name of a domain gate object. (4) ‘If the process | has "eall" 
access to the domajn gate object, the domain of the process 1s changed by the 
kernel to that specified by the domain ‘gate and the ‘process executes ‘the. 
specified initial procedure. To create a process, one must call ‘the process 
creation primitive pasaing it the name of a domain gate obdeot to which the 
caller has “create” access. . 7 | 

The "call" and “create" accesses described above are determined from the 
ACL of the domain gate. (2) | . 7 7 : - 

The creation of. new domain gates 4s controlled hy the domain objects. 
Each domain object specifies a Domain ID. A proogas may create.a domain gate 
by calling the "create gate" primitive, pasaing it the nase of a domain object. 
and the name of an initial procedure. The. process myst have “create _gatea": 


access to the specified domain object, 


(1) If an attempt to call the gate directly resuited in an error condition, 

then the computer utility could detect attempts to qall domain gates and. 
invoke the domain call ‘primitive automatically. This scheme is similar to 

dynamic linking. The calling procedure could then call the gate just. as it 

would call any procédure in the same domain. 


(2) As noted before, thé initial procedure for a domain can be used to guard 
the access rights and resources of that domain. Therefore, the "call". and 
"create" access rights are unnecesssary, and only serve asa convenience. The 
important function of the domain gate object is to bind together an initial 
procedure and a domain. 
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The creation of domain objects must be controlled, since any process with 
access to a domain object can create new gates for the domain. that. is 
specified by that objects. This control can be accomplished by allowing. the ; 
creation of a domain object only if the Domain ID specified by that domain 
object — not been previously used. 

It 4s important to understand the system of control being employed in 
this mechanism as it is common to all the mechanisms discussed in this 
chapter. This system of control is very similar to that used by Schroeder 
[Se72] to control the creation and. calling of protected subsystems. The 
creation of new domains i an “unpre vileed operation, as any process, is 
allowed to create new domain objects, while the creation of gates into a 
particular domain is under the control of the domain object for that, domain. 

Notice that access to a domain gate object is sufficient to use a domain 
gate. Access to a domain object is not required. Thus. we cannot, through. the 
ACL of a domain object , revoke the right to use domain gates that were created 
using that domain object. Adding to the ACL of a domain object is in some | 
sense non-revokable. This non-revokability is true of all of the domain 
changing mechanisms discussed by this chapter. We could provide some 
mechanism to destroy all of the domain gates created from 4 particular. domain 
object. Because done gates cannot be freely transferred or- duplicated, as 
can capabilities, it is easy for the computer utility te logate . all of the 
domatr utes that were created using a particular domain object. . 

Exact Specification could be used for both. calling and process 
initiation, as it is capable of authorizing a domain change between any two 
domains. It also seems relatavely easy to implement. . There ars, however, two 


disadvantages to this mechanism that make it less suitable. 
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Using Exact Specification, a process that has “create_gates" access to a 
domain object can use the corresponding domain by Stenting “pates into that 
domain. Thus in the case that there is a single authority responsible for a 

‘domain, “that authority: can use the ‘domain object’ to Sontsal ‘the use of the 
domain. Several computer systems, “Aneluding Multics, allow two or more 


‘{ndépendent. authorities to share ‘responsibility ‘for a domain. The ‘use of a 


a 


-domain in such > ‘a “system ‘requires ‘the ‘dddependent approval of all of the 
authorities that share responsibility for that ‘domain. An example from the 
Multics computer utility should help illustrate the’ tise..of sucha system of 
coritrol. hee as Ye eS eae : 

In the Multics ‘computer utility, Principal IDs (Domain IDs in our 
terminology) have Pérson and Project components. The creation of a process 
with a particular Prihetpal ID requires: ‘the. independent approval of ‘both the 
user who corresponds to the Person component an. the project administrator of 
the project” ‘that corresponds to. the Project component. of that Principal 1D. 
Tie Principal IDs “that appear “Gn “josess “control Control. (ach) terms are 
allowed to contain *#" components that aatoh. any ‘value of the: corresponding 
cémponént in a’ “Principal ‘ID of a process. "Thus the tern "Jones. *, . read" 


N : weet wa E ar ee 
@rarits read access to ‘any procéss that has. “a “Principal a with a Person 


Laseery mes ome Peat 


Gémporent of "Jones", 


Such ‘ACL terms are frequently used to “aliow ‘all of the ‘users of | a given 


project to use a ‘particular ‘program ‘or data. base, ‘or to allow a user to have 


acdéss' to his private data ‘while working ‘on any “project. ‘th. ‘order to preserve 


the meaning “of such ‘terms ‘while ising Exact Specification to control domain 
changing, we must caréfully ‘control the creation of a domain object with a 


Domain ID that matches a ‘previously created Desetn ID in any Semponeht: For 
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example, we could not allow the creation of a domain OUgee bai a Domain ID 
of "Jones.new" if the Domain ID of "Jones. old" had already been used. This is 
because the domain "Jones. new" can gain access to anjebia chnoudh ‘ACL terms 
with a Domain ID of "Jones. *" and therefore the use of that domain must be 
authorized by the person corresponding $6 "Jones". 

The above problem can be solved by eticuiie only a trusted ayaten 
administrator to create a domain object. that “specifies a Domain ID that 
matches a previously existing Domain ID in ‘Some component. “> solution, 
however, overly restricts the way in which users may create ike use domains, 
and forces all users to trust the. system administrators. The Partial 
Specification mechanism to be discussed later provides a.better way to allow 
several authorities to. share responsibility for a Domnin: 

A second. difficulty with the Exact Speeification. mechanism is that it. 
does not provide the proper control for the calling. of protected subsystems. 
When a process makes a call that changes its domain of execution, the called 
domain must have access to the ereinerts of the ¢all in ‘order perform the™ 
desired function. This access should be- revoked when the called domain 
returns, so that the caller can: be ceauned chat Ghesaaties Wi not read or 
modify the arguments at some later time. In addition, the callee should have 
some way of verifying that the caller has access to the arguments of the call, 
so that. the caller cannot trick the callee into reading or -modifying some 
object to which only the oallee has access.:: 

A domain changing mechanism intended. for the calling of protected 
subsystems should require that the callee and caller share some access rights, 
thus providing some means to pass arguments. Exact Specification and Partial 


Specification do not enforce such a_ requirement. Several researchers 
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[Jo72,Ro74,Se72] present mechanisms designed specifically to deal with the 
problem of passing arguments between domains. Any of these mechanisms could 
be seabined with Exact Specification or Partial Specification to form a domain 
changing mechanism, by using the argument passing mechanism to control access 
to arguments of céross~domain calls, Sad -usiné the ACL mechanism to control 
access to other obiestex: The Last Component Specification and Appending 
Specification mechanisms discussed later in this chapter both provide partial 
solutions to the problem of argument passing that may be significantly easier 


to implement than the mechanisms of Sehroeder and Jones. 


5.2.2 Partial Specification. 

The second mechanism for authorizing domain changes will be termed here 
Partial Specification. Domain IDs: for this mechanism havea fixed number of 
components with implied meanings, just as did the Prinetpal IDs of the Multics 
computer utility described. above. ' These components: represent thé independent 
authorities responsible for each domain. A -domain object in this mechanism 
specifies one component of a Domain ID. A Domain gate specifies a conplete 
Domain ID and an initial procedure as before. Domain gates are created by 
passing to a kernel primitive: the name of a procedure and a list of names of 
domain objects. Eaeh of these domain objects must specify a different 
component of a Domain ID, and all of them taken tegether specify the Domain ID 
of the gate to be created. Domain gates are used in creating processes and 
calling subsystems as before. New domain objects that specify previously 
unused Domain ID components can be created by calling the "create_domain" 


primitive. 
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Figures 5.1a and 5. 1b show one way to use this mechanism to implement the 
pattern of apthorssarscn used in the Multtes computer By as described 
above. The fisuces show how the domain ed Noaein eine spleots could be 
maintained in a hierarchical file system, ‘such that each such object is under 
control of the proper: authority,  Domgén “IDs have two components, 
corresponding to Person and Project. Domain IDs specifying the Person 
component are of the form Person.*, while those specifying thé Project 
component are of the form *.Project. A Project 1s “created by: creating a 
domain object that specifies ‘component. of a Domain 1D, Anew user can be 
registered by creating a domain object that specifies the Person Goeroneny: 
The ACL’s on these objects determine who may use then. The following 
abbreviations are used for shéens rights in the figures: 
3s - cpretue) Allows a process to obtain information about the objects 
Contained in a directory. ! 
a - (append) Allows a process to create more objects ina chutes 


m- (modify) Allows a procesd to. modify “anforaation ‘in a” directory 


(including the access control lists for ‘the objects th that directory. ) 


Notice that the domain Locksmith. SysAdmin is given modify access to the 
directory "Users". This access allows a process executing in that domain to 
obtain access to any of the objects shown in both figures. (oy modifying ACLS). 


The Locksmith.SysAdmin domain will have special uses, as shown later. 
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Figure 5.1a 
| Domain and! Domain Gate Objects in a Hierarchical File System 
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Figure 5.1b 


Domain and Domain Gate Objects in a Hierarchical File System 


Users 


Proj2 17. ‘ReAdwmin,Proj2 sma 
#*,Proj2 8. 


P2Admin.* create_gates 
Jones.* | (none) 


Pro j2 


Jones.*® sma >. Qh Jones. 
*,Proj2 s ™ 
-[Sones.* call,create , gate 


Jones .Proj2 
\ Listener_- 


In Figure 5.1a, Jones has been given free access to project Proj1, as he 
may create new gates into it from any domain seithoe Domain ID with his name as 
Person component. These gates can be created. by -passing the object 
">Users>Persons>Jones" and the object ">Users>Proj1>Proj1"™ to the create gate 


primitive. 
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Figure 5.1b shows the hierarchy below the Proj2 directory. Although 
Jones cannot create new gates into Proj2, he may enter the domain 
"Jones.Proj2" by using the gate ">Users>Proj2>dones>gate". This gate had to 
be created from the domain "Locksmith.SysAdmin", as this its the only domain 
that has "create_gates" access to the domain objects required to create the 
gate. The procedures of "Locksmith.SysAdmin" would presumably not create such 
a gate without the approval of both Jones and the administrator for Proj2. 
The power of the Locksmith.SysAdmin domain should be used carefully. 

Notice that if at’ any Reis time the saesnvaGeace for Proj2 wishes to 
allow Jones to create gates to the praject, he can do so by modifying the ACL 
on the object ">Users>Proj2>Proj2", without any help from Locksmith.SysAdmin. 

Partial Specification models the authorization scheme currently used in 
the Mulitics computer utility quite well.. It is not significantly more complex 
than Exact Specification, and iebetote ceheala bs almost as easy to implement. 

This mechanism, however, has the same drawback for subsystem calls as 
Exact Specification. The calling and waived decals are sat constrained to 
share access rights, go that: poshcthe caller and the callee must take special 
action in passing the arguments of a call, and both must. be aware of the 


domain change produced by the call. 


5-2.3 Last Component Specification. 

The third mechanism to be discussed I will call Last Component 
Specification. This mechanism cannot be used to authorize domain changes 
between any two domains, and therefore is not suitable for use in authorizing 
process initiation. The restrictions made on domain changing by Last 


Component Specification do, however, make it a more attractive mechanism for 


Page 58 Chapter 5 


authorizing protected subsystem calls than the first two mechanisms considered 
in this chapter. As before, Domain IDs have a Fixed amore of components: 
Domain and domain gate objects specify only the Last of these: (4) A eall £0: 
a  pareacular gate causes the domain of the calling process ‘to be changed. The 
Domain ID of the process following the call is formed By” replacing the last 
component of the Domain ID of the calling domain with ‘the ‘pouponent. specified 
by the negates, ‘Thus if a process exeouting in the domain "Jones. Projt. home" 
made a call to a ga as its component, the process would begin to oxecute the 
initial procedure of that wate in the domain "Jones. -Projt. editor", New domain 
objects can be created as before as None. as they do not pyres? the same last 
component as - ikeviously: created domain objecta, | | . 
This mechanism is very ‘similar to that proposed in dchnceden 8 thesis 
[Se72] for pontpol tens the calling of protected: subsystems. ‘The last 
component of a Domain ID can be used to specify a Protected subsystem that 
could be changed by calls during the life of a process. Te other “components 
of a Domain ID can be used to specify attributes that remain constant 
throughout the life of a PROCESS such as the Person and. Project components of 
Multics. All of the einsystoms called in a single process are executed in 
domains that share some access rights (all access rights that can be ophesned 
by the process through ‘ACL terms with we" as their last conponent). 7 Aithough 
this does not totally sive the arguaene passing peoblen discussed before, ay 


does help somewhat by guaranteeing that all of the subsystems in one process 


share some access rights. 


(1) We could allow them to specify any one component. -The specification of 
only the last component will, however, be adequate for the intended use of the 
mechanism and simplifies the description. 
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5.2.4 Appending Specification. 

\The last mechanism I will refer to as oMppenG2ng Specification. This 
mechanism is not well suited to process initiation, as it cannot authorize a 
domain change _between any twa domains. The domain and domain gate objects 
shecify only one component of a Domain 1D, as in Last Component Specification. 
The Domain ID of the target domain of a call: is formed by appending _ the 
component: specified by the gate to the Domain ID of bie calling domain. A 
return causes the last eebnant of the poaatn: ID to be dropped. Thus af a 
process in the demain "Jones .Proj1.home" nie: a call toa gate specifying 
"editor" as its Domain ID, the domain of the process” would become 
"Jones. Projt. home.editor", | 

We ean see that Domain IDs can have different numbers of components with 
this scheme. We therefore need to augment the rules for matching of Domain 
IDs and ACL terms .to specify what happens when the Domain IDs being matched 
are of different lengths. | 

The component "#8" has special significance in our matching algorithm. 
and is used to allow an ACL term to match Domain IDs of various lengths. 
Before comparing the Domain IDs of the process requesting access and the ACL 
term, the matching aizeettna cheeks to see if the Domain ID of the ACL has a 
component of "##", Tf so, and if the Domain ID of her prmseua has at least as 
many components aa Chae of the ACL term, then the nee" component is replaced 
by one or more "*" components so that the Domain ID of the term and that of 
the process have the same number of components. If the. Domain ID of the ACL 


term has tore components than that of the process, the the *"##* component is 
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deleted. We allow each ACL term to contain at soak ane mee component. (1) 

If the Domain ID of the ACL term does not have a "##n component, or if it has 

more components than that of the process, then the following two rules he 
apply. , | 

1) If the Domain ID of the Process is longer than that of the. ACL tern, 

then they do not match. 
-2) If the Domain ID of the ACL term is longer than _ that of the process, 
then they match only if all of the "extra" components of the ACL term 


are "#1, 


Table 5.1 illustrates these matching rules. 


Table 5.1 


Examples of ACL Term Matching 


A process can grant access to an object about to be passed by a call by 


putting a term with the Domain ID of the domain about to. be called followed by 


(1) Allowing more than one "##" component makes fie matching algorithm much 
more complicated, and makes it difficult for a user to see which Domain IDs . 
match a given term. ee ig 
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",##" on the ACL of the object. In this way, the object will be accessible to 
‘the subsystem to be called and any subsystems that it calls. The ACL term 
need not be removed following the call, as all of the domains that it matches 
can only be reached by calling the same subsystem again. Thus in a sense the 
Appending Speck ricatien mechanism automatically revokes access following a 
eall. 

This control of access to arguments is made possible by the way in which 
Appending Specification assigns a protected subsystem to a domain. Using 
Exact Specification or Partial Specification, each protected subsystem is 
assigned to one domain. Any call to a particular subsystem always enters the 
same domain independent of the domain of the caller or the process in which 
the call is made. Thus using either of these: mechanisms, the caller -must 
grant access to the callee prior to the call and must later revoke that 
access. With Last Component Specification, the domain that a particular 
subsystem enters depends on that process it is called in, but not on the 
subsystem that makes the call. Thus some objects remain accessible to a 
process throughout the life of the process, and can be used as arguments to a 
call with no special handling. With Appending Specification. the domain in 
which a protected subsystem executes ienendeven the pubasaven that called it. 
This allows very eradise specification of the access rights to be given to 
each invocation of a protected subsystem. . 

There are, Aeneven: some undesirable effects of not assigning a 
particular subsystem eoctne sane domain at each call. As each subsystem can 
be invoked in several domains in each process, Appending Specification will 
tend to use more domains than the other mechanisms. Each domain requires a 


eertain amount of local storage for local variables. In addition, in a system 
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that performs dynamic linking, such as the Multies computer Se etd ‘the 
{DROOSSROR time pedudeed to link a subsystem “in each domain may becpie 
expensive. : - 

In ‘addition to the economic objections to noe assigning a a subsystem to 
one domain always, one eight. argue that the ‘environment that 1s npavided: by’ 
Appending Specification is more ‘aifrioult to program . in: “One can nave objecta - 
that are accessible only to one subsysten (by using ACL terms of the forn 
*# subsystem), only to one person or project ‘(Peraon. ae, or * .Project. as), . or 
only to one invocation (by specifying the erect domain ‘of that invocation in 
the ACL term). A user must be very careful in deciding. the access that ‘he . 
desires for the dca ia pECneeS of the seu Current programming 
languages do not brevide an ont way to specify all of ‘the possible storage, 
Classes. For these reasons, while ‘Appending Specification is. the most natural 
of the four mechanisms to use for ‘the calling oF protected subsystens, it 


i 


might not be suitable for all ‘computer utdlities. | . | 


i 
i 


5.3 Domain Changing and Confinement. 

In this section, we discuss two aspects. of domain changing dna -computer 
utility that provides confinement. ida: final eoneltier how te use the :domain 
changing mechanisms of the computer utility to control the. assignment of 
confinement sets to processes. We desire to control the confinement set that 
a process receives because’ that sonPinewent: get partially ‘determines ‘the 
objects that the process can read. In some applications of conf inenent 
mechanisms to military security, the confinement ‘set of the _ process ‘may be 


the only form of access control. 
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To genteel. the confinement set received by . newly created process, or 
newly called protected subsysten: Sedguiaes in the renee pate object the 
specification — of a Conk nemont set. The eontsaenent set assigned to a newly 
Shesied process or newly called protected subsystem wae be contained in the 
confinement set specified by the gate that was used for process initiation or 
calling. In addition, we require that the Seatinseent set specified by a gate 
be a subset of that of the creator of that gate. These two rules deaune that 
the assignment of a confinement set to a bce is properly authorized. They 
do not, however, eeauent the domain changing mechanism from releasing confined 
information. | | _ | 

We now consider how to keep our domain changing mechanisms Enon being 
used to release confined Anformation. Lampson [La73] suggests that the 
channels that can be used to transfer confined information be enumerated, so 

“that they can be individually closed. In this meen we enumerate the 
channels provided by our four domain changing we chitees. and suggest ways to 
prevent these channels from being used to release confined information. 

With each of the four mechanisms, there are six operations that could be 


used to release confined information: 


1) Domain object creation. 

2) Domain gate object creation. 

3) Febeeas initiation. 

4) Calling of protected gubayetenn: 

5) Deletion of domain objects, or domain gate objects. | 

6) Modification of access control information. for domain objects or domain 


gate objects.. 
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We now enumerate the channels produced by these six operations... 


Domain creation can be used to transmit information in two ways: 


la) The domain object created could carry confined information. 
1b) The Domain ID used could earry confined 1atorastion: and could be observed 


by other processes attempting to create domain objects. | 


The first of these channels can be errectiveiy Bicated ue forcing the 
creation and use of domain objects to follow the Bese We assign £6 
bach aouain: Sbijeet: the conf inement set of the creator of that domain object, 
and require that a process have a confinement set that contains chat of the 
domain object in order to use that domain object to create. gates. (1). 

The second channel is more difficult to close, as all of. our mechanisms 
depend on the fact that the Doman ID ina particular domain object is 
different from the Domain IDs in all other domain objects. One possible 
solution is to partition the space of possible Domain IDs among the possible 
confinement sets. We require that the Domain ID given to a new domain object 
be a member of the set of Domain IDs assigned to the confinement set of the 
creator of that domain object. This can be done by tnoluding some > designation 
. of the éaheinenmte cat of the creator in the Domain “ID, Partitioning the 
Domain ID space among confinement sets in this manner prevents the observation 
of the use of a Domain ID by a process with a Sout inament set not equal to 
that of the user. Thus the use of a Domain ID cannot release confined 


information. 


nea wae ee 


(4js1f; ‘cenidpaeto end doude: gate: objects: ares apices t tsk hderarehdeaiiofiae! 
system, .; ben, cthe:;: eonfipenent-.set: ofo i the: directory: bontainingp a. domain! ors 
domain: gate: \e@an be: rgeds to provides shia! contwolayods baouborant tas tossenktaus 
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Gate creation presents one channel for the release of confined 


information. 
2a) The gate that is created could carry confined information. 


This channel can be closed in the same manner as the channel described in la 
above was: by enforcing the *-property for the creation and the use of domain 
gates. (1) | 

Process initiation presents an additional channel for the release of 


confined information: 


3a) The gate chosen for process initiation can convey information, even if the 


' greated process has no means. of communicating with its creator. 


To biock this channel, we must require that the created process have a 
confinement set that contains that of the creator. hens is no way to prevent 
the gate chosen for srébees initiation from conveying information. On the 
other hand, our mechanisms provide ab say for tng creator to obtain 
information about the created process. Therefore. there is no reason to force 


the confinement sets of the creator and created process to be equal. 


(1) Note that the confinement set associated with a gate in order to enforce 
the *-property is different from the confinement set specified by the gate. 
The confinement set specified by a gate was intreduced earlier'to eontrol the 
assignment of a confinement set to a process created with that gate.. The 
confinement set introduced above controls the use of the gate, and prevents 
the use of a gate as a covert channel. 
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The calling of protected subsystems presents two possible communication 


channels: 


4a) The caller can pass information to the callee by the choice of a gate for 
the call. 
4b) There are a number of ways in which the callee might be able to pass 


information to the caller. 


The first of these channels can be blocked in the eiear wanes as channel 
3a above. This means that performing a call to a- protected subsystem will 
never cause the confinement set of a process to decrease. 

The problem of keeping a subsystem from releasing information to its 
caller is shared by all calling mechanisms. - Lampson [La?3] shows some subtle 
ways in which information can be released in this way. Rotenberg [Ro74] 
studied this problem in detail and pephasee a part#al solution. ° ‘this - thesis 
does not discuss the problem further. | 

The deletion of domain objects and domain gate -objects, and the 
manipulation of the ACLs of these objects are: operations that modify the 
directory that contains the object being deleted or the ACL being manipulated. 
Thus the confinement set of that directory is used to control those 
operations. [Be73]. 

From the above discussion, we see that our mechanisms for authorizing 
domain changes do not violate confinement. An examination: of the methods used 
to prevent the release of confined information reveals, however, that it is 
impossible to create a gate that crosses confinement sets (1.e. one that is 
accessible to a_ process with a confinement. set that is different from that 


specified by the gate). As with-other types of objects in a computer utility, 
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the confinement sets of domain objects and domain gate objects may need to be 
changed by some trusted authority in order to make the system usable. Such 
“declassification" is needed with existing confinement mechanisms: [Ro74,Be73] 
as well. The intervention of a trusted authority (person) is needed because 
programs lack the. judgement needed to decide whether or not the object being 


declassified conveys confined information. 


5.4 Choosing Domain Changing Mechanisms. 

Of the four domain changing mechanisms that have been presented, we see 
that none serves well both for authorizing process initiation and protected 
subsystem calls We . have Aneedyelanestea one method of obtaining a domain 
changing mechanism that performs both functions: by. combining Partial 
Specification with an argument cael aa wach ee similar to those of Jones and 
Schroeder. Such mechanisms, however, are not easily implemented in existing 
computer systems. 

A second way to obtain a domain changing mectianism is to-combine two of 
our four mechanisms, Using Partial Specification for process initiation, and 
Last Caabencht Specification for calls, we obtain .a sechanism that performs 
well for process initiation, and provides some help in passing arguments. 
These two mechanisms can easily be combined. Such a combination does not 
provide the argument passing capabilities of the mechariisms of Jones and 
Schroeder, but is significantly easier to implement . 

Another combination of domain changing mechanisms that is particularly 
attractive is that of Exact Specification for process initiation, and 
Appending Specifieation for calls. With this combination, all processes are 


initiated in a domain with a one component Domain ID. Additional components 
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are acquired by making calls to gates ‘specifying those components. This 
scheme allows each authority seupeiatite Poe 2 particular domain to validate 
attempts to enter that domain with the initial procedure for the gate that 4s 
used to obtain the component corresponding to that authority. With Partial 
Specification, all authorities must. agree. ona: single initial procedure to be. 
used in validating attempts to enter a teat This scheme, however, has aig 
of the above mentioned problems of the Appending, Specification mechanisn. : 

The variable Taneth Domain IDs (which cause substantial complexity “tn the 
implementation of Appending Specification) could be “eliminated by restricting 
the depth of ont: and ‘thus the number of components that a “process can 
accumulate. The éuirent. Multies implementation of. ACLs “allows only three 
components, and would require substantial ‘modification to increase that 
number. Three components are not enough to implenent the Person and Project 
authorization of Multics, and allow the coexistence of mutually suspicious 
subsystems in a single process. At least four. components (Person, Project, 
and one for each subsystem) would be required. “Any change ‘in the number of 
components would also require the modification of the ACLs on objects 
currently stored by Multics. | | 

Because oF the problems mentioned above for ‘Appending Specification, and 
because Aopanndne Specification would be very airfioult sae Amplement for . ‘the: 
Multics computer utility, we have chosen to. use the combination of Partial 
Specification and Last vomponent Specification for ‘the ‘test implementation. 
This choice was made  preanely based on the characteristics of the Multien. 
computer utility, and should: not be-quken ascen indication ‘that this choice is 


inherently superior. 
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CHAPTER 6 


. THE TEST IMPLEMENTATION 


6.1 The Mubtics Sveten. 

In this chapter, I deseribe a test implementation of process initiation 
for the Multics computer utility, based on the model of this thesis. The 
chapter begins with a brief discussion of the ‘functions “performed ‘by the 
present implementation ‘of process initiation for Mutties, continues with a 
description of the test implementation, “and concludes with an evaluation of 
the test ampiament atten: For this discussion, ‘It is assumed that the reader 
hee: some pee eae with access~control-list based - protection schemes, 
segnented virtual memory systems, and multi-level security systems. No 
‘detailed knowledge sa Multics is assumed. . | 

The Multies Process is implemented as an execution point in a segmented 
virtual -address space. The segments are organized in a hierarchical file 

ete 
ay stem. Each reference of a process to a oe is validated by three access 
control meoharsene: ene Access Control List (ack) mechanism, ‘the Ring 
mechanism, and the Access Isolation Mechanism am). 7 

The ACL mechanism tmplements a List oriented protereres scheme with 
multi-component Praneipal IDs. The two currently 1 snout. components: stand for 


Person and Projec ’ ‘two eens authorities: phay must autnorses the 
creation of a process. The ACL geiKuiilon 4s hierarchical, in that 
modification of an ACL for a segment or directory is controlled by the ACL on 


the directory that contains that segment or directory. 
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The ring mechanism provides 8 protection rings within each process. The 
sets of segments that can be. read Sr ani een in these rings ae linearly 
nested, with ring 0 being the largest set. The ring ponerse ps is used 
primarily to protect the Multics operating system. | 

The AIM mechanism implements a multi-level security system that attempts 
to prevent the flow of information from a high classification to a _ lower 
security classification. The technique used is to prevent operations that 
spread information, as in our model of iatinnment wecheiions The . security 
Classifications used are a combination of a level and a compartment within a 


level. 


Process Initiation in Multias. 


There are three types of processes created by Multics: 


1) Interactive processes, which are ohented to serve a user Se terminal. 

2) Absentee processes, which perform a senies ot oparaticas for a user from 
a previously generated script. . a 

3) Daemon processes, which perform system functions and: communicate with . 


the operator. 


All of these processes are created by a privileged process known as the 
Initializer. (The Initializer is one of the Daemon processes and is itself 
created when the system is initialized.) I will now discuss briefly how each. 


of the five functions of process initiation are performed by Multics. 


Process Creation. 


Processes in Multics are created by the Initializer process executing in 


ring 0. A process is created with the Principal ID and initial procedure 
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specified by the Indtializer. Es Serecrary for the process in which temporary: 
segments for the process will be kept, end. Several segments in that directory 
that will be needed to support the peeceee. are created at the time that the 


process is created. 


Resource Control. 
The following resource control activities take place during process 


initiation in the current Multies implementation: © 


1) An account ‘to fund the activities of the new saan is located. 

2) The Initializer determines whether or not the new process will overload 
the system and degrade service to other processes. 

3) The scheduling parameters, which determine the rate at which a pyesena 
consumes CPU and memory resources, are ideteraived for the new process. 

4) The mechanism that monitors the CPU anit menory usage. of all processes is 


informed of the newly areata procera: 


All of these activities take place in the Initializer process in the current 
implementation. Additional resources may be given to a process after it has 
been created, but such resource allocations will not be considered here as 


they are not part of process initiation. 


The concept. of a domain corresponds most closely with the access rights 
defined by one Principal ID on Multics. There is no single mechanism on. 
Multics that eon erors one Principal ID etven: to a new process: This control 
is. ‘accomplished by a ‘complicated set OF programs , an the and cAteeer process 


that decide the Andtdal procedure and Principal ID of the process to be 
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created. An anteractive brenese ean be created with a given Pringipal ID only 
if a user uno is authorized ‘6 use ‘that Principal ID and has satisfied an 
sukiedttaseien. pabeoeea” by the Initializer requests, such a process. ai 
Absentee process ean be created with a given Prinetpal ID only if an Absentee 
Saaueas is received by the Initializer from a process with that Principal ID. 

A Daemon process with a given Principal ID ean be created at the eeaieat of 


the operator. 


Authentication. 


As noted above, the Initializer must authenticate interactive users an 
order to determine win Saaioke ID to esceids to the processes that are 
created for interactive users. sane ‘authentication rag ‘sccomplished by ¢ a 
daawecna check. Presentation of a correct password entities a user to obtain 
a process with any Principal ID with the Person component that is 
authenticated by that password. Each project has a | Project administrator who 
is Reaponai bie For controlling access to ‘that project. The project 
administrator pain badas a sania or users who may use nis “project. This list” 


provides tha guthonivat ton for the prodect: ‘component. 


’ The: standard indtial- procedures for Interactive,” Absentee, and Daemon 


processes perform the following Se ee eee ee 


" Initialization of the error condition hand) ing for the Process, 
2) Attachment of the terminal ohannel” or Absentee soript to a command 


processor. 
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The -BEOnSRET removal of the dynamic Linking and name anece infiadowent 
oacithine from the security kernel of Multios would add the initialization of 
these mechanisms to. environment initial tzation. [ua75, Br75] In addition “to 
these activities, one function of environment initialization is ourrenwiy 
performed by the Initialize. before a process is ‘actually apeuted : The 
Initializer creates a oo directory for a process if aueh a directory does 
not already exist. The Initializer creates the directory, because the: process 
itself does not in general have sufficient access rights to do a¢o.. 
aay: 

| As ean be seen from the Gescr ape rons ‘above, "the “mechanisns (of process 
initiation for Multics are highly: interdependent. Resource control, domain 
changing, and aucheneicetson are all performed by the same at of programs in 
the Initializer process, and all use the same data sauea ‘(a list of authorized 
users and their attributes, a list of authorized projects “and their 
attributes, and the lists of authorized users for each preset ) At least one 
part of environment initialization is ae ‘Performed byt the Initializer 
process and makes use of the same data bases. 

In redesigning process initiation according to our. model, we attempted to 
keep these mechanisms separate, while maintaining the functionality of the 
current implementation wherever: possible. We. were particularly interested. in 
showing that process initiation for ieee can be raprenented in a 
multi-layered security kernel as argued in the earlier hastens of this 


thesis. 
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6.2 An Implementation of Process Initiation for Multics. 

In the test implementation, each of the five ‘functions of process. 
initiation is provided by a small program module that axeoites tndapendentiy 
of the modules that provide the other four functions. A sixth module is used 
to coordinate the activity of the other five. We begin with an overview of 
the functions performed by each module, and a brief description of how the 
modules interact to perform process initiation. Later sisticas of this 
chapter discuss the implementation issues in each of the modules. Appendix Av 
contains a more detailed description of the programs in each module. 

The process creation function in the new implementation is “the “sane “as 
that of the current implementation. Process creation is performed. by the 
Initializer process in ring 0 as before. ; 

Resource control in the test implementation is also very similar to that 
in the current Multies implementation. The’ four resource control functions 
described before are performed in the Initializer process. The programs 
providing resource control in the test implementation have been simplified by 
the removal of ade that interpreted input from user terminals. ; = 

The partial specification mechanism desoribed in chapter five is used to - 
control domain changing. It is implemented as a type manager for. dowaih and 
domain gate objects, and provides functions that create and interpret these 
objects. Domain and domain gate objects are implemented as segments that are 
accessible only in rings 0 and 1. (These will be iarerned to as ring 1 
segments). | 

In the test implementation, authentication is the responsibility of the 
initial peasedure for a domain. The logger, which initiates processes for 


interactive users, authenticates each user who contacts the computer utility 
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for service and records the result as a forwarded authentication. The 
Seaadane initial procedure for interactive processes uses the forwarded 
authentication to determine whether or not the user is authorized to use the 
process. A security conscious user can write his own initial procedure, with 
whatever authentication mechanism he desires. 

Forwarded authentications are also stored in ring 1 segments. They are 
managed by the authentication forwarding mechanism. The authentication 
forwarding mechanism restricts access to the forwarded authentications for a 
stream to those processes that can read or write that stream. 

Environment initialization is. performed by the initial procedure . as 
before. In addition to the functions described earlier, the standard initial 
procedure also scans the forwarded authentications as noted above. 

In addition to the above modules, there 1s a coordinator module that 
coordinates process initiation. The coordinator serves as an interface 
between modules, which allows the modules to function independently. The 
Sesndteater gathers information from the resource controller, the partial 
specification mechanism, and the process that requests process initiation (the 
creator). The coordinator distributes this information to the process creation 
module and the initial procedure for the new process. The information is held 
in a protected data base while process initiation is in progress. 


Figure 6.1 illustrates a typical process initiation. 
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Figure 6.1 


A Typical Process Initiation 


Creator’s Process Resource Controller’s Process 


Creator Resource Controller 


(Ring 4) 


Authorization of | 
Domain Changing 


(Ring 1) 


Process Creation 
(Ring 0) 
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Process initiation begins when a process that wishes to create a process 
(labeled the creator in the figure) calls on the coordinator module. The 
creator passes to the coordinator two data structures and’ the name of a domain 
gate “object. One of these data structures describes the process to be 
created, and the other contains information to be used by tie initial 
procedure of the new process in performing environment initialization. 

The coordinator then calls the domain changing mechanism, passing the 
name of the domain gate specified by the creator. The domain changing 
mechanism determines whether or not the creator has "create" access to the 
specified gate, and if so returns the name of the initial procedure and Domain 
ID of the gate. 

The coordinator records the initial procedure and Domain ID in a 
protected data abe: along with the two data structures sg/swea oy the creator. 
The coordinator then sends a message to the resource controller (which 
executes in the Initializer process) that specifies some of the 
characteristics of the process to be created (including the initial procedure 
and Domain ID). The coordinator then waits for the resource eonbnoiler’s 
reply. | 

If the resource controller approves the creation of the new process, it 
ealls on the coordinator to complete process initiation. The resource 
controller passes to the coordinator a data structure containing sovuuatens 
for the mechanisms that schedule the use of memory and CPU cycles by the new 
process. 

The invocation of the coordinator in the resource controller’s process 
combines the information supplied by the resource controller with that 


obtained from the creator and the domain changing mechanism, to form a 
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description of the process to be created. This Seaesptzon is pareee re the 
process creation mechanism. — The davecation of the coordinator in the resource 
controller ‘s snags signals” the completion of p process oreation to the 
invocation of the coordinator in the creator“ ‘s process. 

The above’ overview leaves many dnanswesed, questions aheuk the functioning 
of the modules. Later sections | of “this chapter describe each module in 
greater detail, and consider the implementation iasuee in each Goauie. 
Process Creation. 

. The process: creation module . for. the. test. .dmplementation was. taken: 
directly from the current Multics. implementation, .. The: set: of functions 
performed by the process creation module of., the. current implementation. wes 


exactly the desired set. ae ats 


As noted before, the current Multios implementation does not contain a 
mechanism to authorize ‘the. use oe 8 donain. Te Partial “Sosei fication 
mechanism described. in chapter five was ‘used for this ‘purpose in the test 
implementation. Partial Specification was Ghosen: baseline it models the tub 
authority authorization scheme used in Multies very well. It anee required no 
changes | to the existing ACL mechanism, as Appending Specification would have: 
nor did it require that the ACLs of objects: alpeady: in the Multics: “hdsrarony 
be modified. The domain changing mechanism ‘of the test Amplenentation adopted 
the strategies discussed in chapter five to prevent the release of confined 
information by ‘domain changing. | | 

The module that authorizes domain “changes ‘is ‘smal ‘and staple, and relies 


on the Multics “ACL wachaaiaa in order to perform ‘the ‘Gutheriantlon. 
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‘Beasties and domain eats objects: are peprenene® by ring 1 segments in the 
Multies hierarchy. These Seenenee. are sintlar to those used to implement 
other extended type objects, Sash as natiboxes and message - _ Segments. _ The 
Access Control List associated wath a Ting a segment | _ determines which 
processes can ead or write ‘that segnent while executing in ring 1. Thus, the 
ACL ae charitian can be used to control the bs acigigt A Of domain. and domain 
gate objects es processes, just as tt was in our Aaserapeton of Partial 
Specification in chapter five. 

The domain changing mechanism thus’ prévides operations to create or 
delete domain-and domain gate objects, while wécess control for these objects 
is ‘performed by the access control mechanism for somaents. Choosing to 
implement domain and domain gate objects has the disadvaiitage ‘that each domain 
or domain gate object must be allocated at least one page (36864 bits) of 
Svoracry while in oy each comes object poqusree. only T20 bits and. each 
domain gate requires 1260 bits. ‘me. inefficient use. of storage was tolerable 
for the SoS {mplenentation, a may be a severe paroles in. a system that 
supports a “saree number of comnn 

A second responsibility et the domain changing mechanism | is to insure the 
uniqueness of the Domain ‘Ds in the domain objects. For this purpose, the 
domain changing mechanisn mesvatatne a data pase _ phat contains all of the 
Domain IDs in use soopratnes in con objects). __The data base is protected 
by a ieee to prevent simultaneous updates that could cause duplication. The 
data ‘base is isiplemented as a linear list of partially specified Domain IDs, 
corresponding to Foe partially Bpectt ied Domain IDs that are used in the 
domain objects. The linear coat Representation was chosen because Searches of 


the data base on Vaevequent (because domain creation is infrequent) and 
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because the linear search is much simpler _and abenraiae ds easier to hava d 
correct than more efficient searching procedures. es | 

Domain IDs are never deleted from this Gata base, so that tney cannot ve 
re-used. This means that the Domain ID data base is constantly growing ‘as 
more domains are created. The growth was not a severe problem in the test 
implementation, because the.amount of space required for: each- Domain: ID is 
small (56 characters), and. the preabion ordeletion of domain objects is 
infrequent. | 

We need not maintain in the Domain JD;data base any Domain ID that does 
not appear in a domain object, a-domain gate object, or’an ACL term.~ The 
assignment of such unused Domain. IDs to..mew domain. objects’ cannot ~ cause 
confusion. Thus the .file system could be-periodidally.scanned to determine 
which of the Domain IDs in the Domain ID.data base were actually.in use. Such 
a check could be incgrporated in the ‘program that seans the file system to 
verify the integrety of the file system. 

In order to ‘aplewent the multiple authority authorization scheme of 
Multics, domain objects specifying only the. Person:.:component.or oniy the 
Project component are used. A project domain object by convention is kept. in 
the project directory for that project. Thus the project administrator for a 
project can control the use of the project by modifying the ACL of the domain 
object, for that project. The person domain objects present a. more difficult 
problem, because the hierarchical aceess control of:.Multios makes it aifficalt 
to give each user exclusive control. over the ACL-of his domain object. In our 
implementation, the person domain.objects are ail- kept: in a single directory: 
(>udd>persons). Each has an ACL that allows. only the corresponding user ’s: 


processes to create gates. Modification ofthe ACL ofa person domain-object: 
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' requires administrative action. This use of the domain changing mechanism is 


illustrated by figures 5.1a and 5.1b 


the ation. faves uae eee Cad 

The test implementation provides authentication forwarding as described 
in chapter three. and connections made through the Arpa Network. 

Chapter three: notes that each °forwarded’ ‘authentication should  »bé 
accompanied by identifying information, so that the user of a forwarded 
authentication can identify its duthor. ‘Our impletientation of authentication 
forwarding records :the ‘Principal «ID, ing ‘nuniber {and “pioéess ID of the author 
and the time of reeording for: eaeh forwarded autiettication. The Principal ID 
and ring number. identify the domain of the author, whfle the process ID and 
time form a unique index for the forwarded authentication: ‘Although it would 
be desirable to: record ‘the “procedure ‘that “produced each forwarded 
authentication, this information cannot ‘be’ wbtained.: “A ~ Multies ‘procedure 
cannot reliably identify Ats:-oalberwjios 0 se Fabel cee 

The. . forwarded: authentications’: are “stored -4r ring 1 segments, so that 
access to forwarded: authentications: wan ‘be icohtrolled.0ne such ségment is used 
for each: Anpa Network sooket’ or’ Ives] tersitrial “channel that actually has 
forwarded: authentications. i668 vo Geeky wot om ahs 

The use of. one: segment? for: eadh’ chanhel allows’ the forwarded 
authentications for each channel to:be ~ managed’: independently “of those’ for 
other channels. «Thus a’ process: eannot interfere with the use of forwarded 
authentications for ahy channel that® that: proeess can: not use. Each forwarded 
authentication. requires approximately 2000: bats: 6f Storage. ~Thus, up to: 5000 


forwarded authentications can stored for eaeh chanel: -- 


Page 82 Chapter 6 


As noted in chapter. three, only nar BrOCeSsEnOS that gued use a stream 
should be allowed to read or record forwarded authentications for that stream. 
Control of forwarded ‘authentications ie. accomplished an the pest 
implementation by checking the accessibility of the stream before recording or 
reading | forwarded authentications. The accessibility “of : a stream is checked 
by requesting the connection gestae of that stream. . The Multics 
implementation denies status inforaat ion about a Wereab to processes that do 
not have access to the strean. | ° 

‘Three strategies were adopted to insure that | porcarded: authentications 


always refer to the current connection of a stream: 


1) Each process that has access to .@ stream may delete the forwarded 
authentications for that stream. 

2) The forwarded authentications for a stream. are automatically deleted» 
when that stream is disconnected. 7 ; 

3) A scheme similar to the connection count athene described in chapter 


three was implemented. 


_ Any process that believes that the forwarded. authentications for.a stream 
that the process has been using are no longer, . valid ean, thus. delete those 
forwarded authentications. The second. strategy above insures that a forwarded 
authentication never refers to a previous cennection: of a stream. 

The connection . count is not implemented exactly as. described in chapter 
three. This is because we do not want to maintain connection counts for 
channels not. in use, as there are many mich chahmeiei:: Instead, the time: at 
which the last call to connect a channel was made is used .as ‘the connection 


count of that channel. The time is expressed with sufficient. precision that 
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two Sonnectsons cannot be made 6 the same channel a at the same time. The use 
’ of the time of connection as the COnPROETCH count evens the nenosa tty, of 
fe? es ae 

maintaining information for channels that are not connected. 

| The implementation of forwarded authentications very Slosely follows the 
description of chapter Ehwees The eran: that implement forwarded 
authentications are all onal and simple. 7 - 

Authentication Forwarding is used to allow the initial procedure of an 
dnbersotiye: process” to make use of the — peandard systen authentication 
‘weshantaa, The emer prgcene authenticates each user who | contacts _Multics, 
and records the result as a forwarded ied: eiae: The initial procedure 
of an interactive provess chooses whether or not to believe the forwarded 


authentication. 


Resource Control. 

The resource controller for the test Amplenentat:ton was adapted from 
Sibert Multics implementation of process initiation. ‘The Multics resource 
controller was adapted to communicate with the spaeqinabee module (described 
later) rather than with a terminal chanel, Absenteé’ request, or the operator. 
This change did not affect the’ funétiion performed by thé resource controller, 
but merely changed its source of information. 

A second..series of ohanges. was made to make the resource controller 
reject a process creation eeuaeas that. contained unacceptable parameters, 
rather than attempting to correct those parameters: This change was made 
primarily because the resource controller cahnot alter some parameters, ‘such 
as the inittal procedure and domain of a new process. This change does not 


alter the resource control constraints enforded by the résource controller. 
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The resource controller uke use of three privileged epee in order 


be implement resource control constraints. 


1) The resource controller 1s allowed to wonton the CPY and - memory usage 
of all processes. 

2) The resource controller can destroy any process.. is 

3). The resource controller determines. the scheduling parameters, which 


_ partially determine the rate at which processes consume ‘resources. 


These operations do not allow the resource “controler Fo violate access 
control. constraints, as ahowti an inter 4, ee ne | | 

‘The Multies resource eontroller implements ne very complex set of resource 
control constraints, which are designed to. give each user a fair share of the 
computing resources of Multdes. The fact ‘that this complex set of constraints 
can be ambhenesee2 with ony the above: rhbes operations ‘suggests ane our 
model can be used for many. resource control policies. 

The resource ecatrorrer is a very complex : set of prograns: Some of this 
complexity arises from the fact that the resource controller has been eeenved 
from the current Multics implementation, which had other responsibilities in 
addition to resource control. A great deal of the complexity. however, is 
inherent in the nature of the constraints being implemented. It is clear that 
removing this complexity from the access control layer of the security kernel 
will result in a simpler certification of that: nayer: | 
Environment Initialization. 

In our model, each. domain is” responsible lie “Andtdal izing tts 


environment. Environment inittal ization for a domain te perforned by. ‘the 
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initial pponeduiess ae that domain, ‘ana Vhenerore aie under control oF the 
authority responsible for that domatas An initial sioner’ for Likebectine: 
processes. that performed environment andtialtization was written for the test 
implementation. This initial procedure is intended as ‘a. demonstration of 
environment initialization in-our model. Wn end 

.The indtial procedure performs all of the environment initialization 
functions mentioned above (initialization of error handling and attachinent of 
the Serernae” stream to Ene command Be oreneor): In nadie ton. it checks the 


acy 


formabded authentications for the source of the stream abnet represents _ the 


Sled, , 


terminal channel. The forwarded authentications are checked to insure that the 
tA AON a: 

adeabity of the source of hey stream ‘had been verified by a trusted 
authentication procedure, and that the authenticated | user corresponds to ‘the 
Person ecdponent of the Prinedpal ID of the new process. The procedure that 
was implemented pvusted any process with the same Principal 1D as. that OF. ane 
new process, and also trusted ie Logger process. i . 

= The environment initialization performed By this Anitial procedure is 
very, simple and scadane forwarded. Notice ‘that any desired aubnenvicetrcs 


cheok could have been . ‘made, rather thas relying on the forwarded 


authentications. 


The Coordinator. 

| The coordinator gathers information from the demain changing mechanism; 
the resource controller, and the process that eeguests. proces initiation (the 
creator). This information is combined to form the Tarane tore given to the 


process ereation aeules and to me initial procedure of the new process. The 


coordinator gious the Sneater: the domain changing nechanism, the resource 
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controller, and the new process all to function micependentty: Several 
strategies are adopted by the eocnasdetor in order to insure this 
independence. ? | 

Each parameter produced by the coordinator is derived from the 
information presented to the poordanater in a yet defined manner. Thus the 
domain  ahanetag mechanism is given ecnrrod of the Principal ID, ring number, 
and initial procedure for the new process, ‘the resource controller is given 
control of the parameters that determine the rate at which the new progess can 
use CPU and memory resources, and the creator is allowed to pass additional 
parameters to the new process such as information about the task that that 
process is to perform. | 

As can be seen from figure 6.1, the: coordinator gathers information fin 
both the creator’s process and the resource controller’s process. The 
creator’s and the domain changing mechanism’s tnputs to process initiation are 
copied into a ring 1 data base before the resource controller is notified of a 
process initiation attempt. Thus process initiation oan beé completed even if 
the creator’s process is destroyed before the resource controller acts on the 
request. 

The resource controller is given a limited time to act on each request 
before the request will be aborted and the information related to it purged 
from the- ring T data base. The time Limit insures that the coordinator will 
not have to keep a request indefinitely. It also insures that the resource 
controller cannot cause oonfusion by delaying a process initiation attempt 
until the task that that process was to perform is no longer relevant. 

A unique index is given to each process inittation request so that the 


resource controller and the coordinator do not become confused if two requests 
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are made for processes with similar characteristics or if the elowae 
controller attempts to respond to a fegueat that the coordinator has even up 
on and aborted. 

The coordinator is a large program, but is simple in structure. The size 
of the coordinator is primarily due to the number of parameters that must be 


generated from the available information. 


6.3 Conclusions on the Test Implementation. 


This chapter has shown. how process initiation was implemented for the 
Multics computer utility. In this section, we compare this new implementation 
with the current implementation of process initiation for Multics, to see the 
advantages and disadvantages of our: model. 

Three advantages of the model are immediately apparent. The first of 
these is the reduction of the amount and complexity of the programs in = each 
kernel layer. In the current Multics system, any program executing in the 
Initializer process could potentially create a process with any desired 
initial procedure and Principal ID. Thus all of the programs that execute in 
the Initializer process must be considered to be in the innermost layer of the 
kernel. These programs include not only all of the process initiation 
mechanism, but also other complicated programs such as those that handle the 
scheduling of Absentee requests and those that implement the Telnet and. FIP 
protocols of the Arpa Network. Also included in the programs executed in the 
Initializer process are numerous programs that had been removed from “Spine 0 
with the intent of removing them from the security kernel. In our 
implementation, the set of programs in each layer of the. kernel is well 


defined and in each case smaller than the set of programs that are in the 
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Initializer process in the current implementation. . . 

‘Tables 6.1 and 6.2 show the impact of the wodel on: the size oe ene 
Multies security kernel, both in terms of lines of PL/I code, and in terms of 
the number of modules. The tables anol Ges all of tia eodules related to 
proeess initiation, ‘and all other programe that are only included in the 
kernel because they eveoite in the Initializer process. The figures for the 
kernel layers are cumulative. (i.e. The figures for the Denial of Bervice: 
layer include those for ne Access Control layer, and the ‘figures for the 
Confinement layer dnolude both the other layers. ) 

The first line of each table shows the current” whe of the kernel. 
Because Multics currentiy. has a single kernel layer that implements all of the 
security constraints, only one number is shown. ‘The second line represents 
the size of the kernel layers as measured: in the test implementation. These 


af 


figures show a great Feduct toe in the access conros payers because many of the 
programs te the Initdalizer process need noe be included in nae ad layer. 

The test a aia did not: take full. advantage of the simplification 
that could be achieved by making process initiation unprivileged. Many of the 
functions performed by the Initializer process in the test implementation ‘do 
not need to be perforned there. The third line of Tables S 1 and 6. € 
estimates the size of each kernel layer in an implementation that took ee 
advantage of the. model of this thesis, by removing all unnecessary ‘programs 


from the Initializer process, and by recoding those that remain to remove 


functions not related to resource control. ... x. me 
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Table 6.1 


The Impact of the Model on the Number of Lines of PL/I Code in the Kernel 


Unprivileged 


Current Multics 
Implementation . 150 
The Test Implementation 1150 


A Full Implementation 
of .the Ideas of this . 
Thesis 6600 


‘Agtess Denial of | Confinement 
Control . Service 
eee eae 2000 arena eee eee > 
825 10050 10050 
825 3500 3900 


Table 6.2 


3 


The Impact of the Model on the Number of Programs in the Kernel 


». Unprivdleged . 
Current Multics. 
Implementation 3 
The Test Implementation 5 
A Full Implementation 
of the Ideas of this 


Thesis 17 


-- :Aeoess: Denial: of Confinement 
Control Service 
8 3 43 
8 23 27 


A second advantage of the model is that every process can request the 


creation of a new process, whereas only the Initializer can create new 
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processes in the current reppemencel tai: ae aie teteon = the reason that 
functions such as the Absentee syaten and the ‘Tenet | wad FTP protocols | of “the 
Arpa Network must be implemented in the. initializer process. This can result 
ina substantial reduction of the kernel, as “approximately 3000 lines of PL/I 
code are used in the current implementation to provide these functions. | These 
functions, and any new function requiring the ‘creation of processes,. need not 
be performed in the security kernel in. ‘an implementation of 5 process "initiation 
based on our model. | ae | | 

A third advantage of the model is ‘that. ‘the authority responsible for a 


5 


domain can control the use of that ‘omen through the initial ‘procedure of the 
domain. The mechanisms for such control are less apparent dn the suneent 
implementation. | | : : we : an 

The test implementation does; however, have “several disadvantages. We 
have already noted ‘that: ‘the “implementation of domain ‘and ‘deeain gate abjects 
is very wasteful of storage. At the time of this Anvestigation the M, I. t. 
Multics system had epproxinately 2000 users” ‘and 250 projects, and would 
require a total of perhaps 5000 domain and domain gate ab jecta. ‘These Sb iects 
would ocupy about 5% of the ‘available permanent aacopane apace ‘The stépage 
requirement could be substantially reduced if the domain and domain site 
objects were supported by the mechanism that Amplenents directories. The data 
contained in a domain or domain gate object “Gould Sa placed in the directory 
containing that object, thus eiginatine the need to have. a whole semeant to 
hold the representation of such objects. ‘Such an dupieasntatice would add 


some complexity to the programs that implement: Atrectories. due to the 


problems of maintaining the large igeatral. data base. 
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ie tnpieneuballi a of forwarded authentications also makes poor use of 
storage if each stream has only ‘ small number of forwarded authentications. 
This inefficiency is tolerable, because few preneen are connected. to Multics 
at any one time, and forwarded authentications need be maintained only for 
connected streams. . 

The inplomantatton based on the model is slightly: slower than the current 
Multics implementation. of process indha cteon: Each process initiation 
. requires about .1 CPU seconds more in our implementation. The extra time is 
due to the time required to merge the data structures and the time required to 
format and transmit chs wes cake to the resource controller. The total time 
required for process initiation on Multics is approximately 4 seconds. (Most 
of this is spent by the resource controller. ) The test implementation is thus 
not significantly slower than the maneenk Multics implementation of process 
initiation. | 

The hierarchical aceess control structure of Multics is in some ways 
ineonsistent with the access control needs for domain and domain gate objects. 
This inconsistency leads to aifticulty in modelling exactly the authorization 
scheme used in Multies. . ; : : 

Overall, the model has substantially simplified the layers of the 
security Genned and provided some additional functionality at the cost of 
using more storage and CPU time, and of forcing saneacks be careful of the 
effects of hierarchical access control. Beenie security is an important eoal 
of the Multics system, this cost can be justified. The following chapter will 
evaluate the model in the more general context of its. use for any computer 


utility. 
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CHAPTER 7 


EVALUATION AND CQNCLUSIONS 


In this chapter, we avaulate our’ model as a whole and draw some 
conclusions about its usefulness in structuring process initiation. We “begin 
with a comparison of the model with two other process initiation schemes. 
Following this comparison, we Summarize the _gonclusions about. the model. 
Finally, we discuss topics for further research. in the area of process 


initiation. 


7.1 Comparison. 

In this section, we compare our model with two common schemes for process 
initiation: A hierarchical scheme, such as ‘that: waned in the CAP system 
{Wa73], and a scheme with central” control such ‘aa the current Multics 
implementation of process initiation. ‘These are the most commonly used 
schemes in current computer systems. We compare the ease with which. these 


three schemes can be used to create processes in the following situations: | 


1) Creating a process to act for an interactive user at a terminal. 

2) Creating one or more processes to carry. out some parallel probesstne 
' algorithm. | 

3) Creating a process to execute a subsystem that is mutually suspicious 


with its caller. 
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In the hierarchical scheme, each process assigns a subset of its 
resources and a subset = its access rights to each process that it creates. 
Each process is totally dependent on its creator for resources and access 
rights. Each process is destroyed when tts ebentoe is destroyed. In the 
centrally controlled scheme , only one ‘proeess 1s allowed to create processes. 
This privileged process controls completely the access rights and resources 


granted to all processes. The privileged process never terminates. 


Process Creation for Interactive Users. — 

The creation of processes for interactive users was extensively studied 
in chapter three. Both the model and the centrally éontrolled scheme handle 
thts situation well. The model, however, offers more flexibility than the 
centrally controlled scheme. With the model, different processes can be used 
to create processes for users of different terminals. This capability is 
useful if the protocols used to talk to different terminals are different. 
These logger processes need not be certified correct in order to achieve the 
security goals of the computer utility. The _ model also allows a security 
conscious user to protect himself against malfunctions of most of the process 
initiation mechanism. | ; 7 - 

The hierarchical scheme of process initiation can also easily be used to 
create processes for interactive users: The process that responds to requests 
for processes from interactive users’ (the Yoggér' process) must. however, 
manage all of the Besoleees required by those users and must be given access 
to all objects meeded by those users. The hierarchical scheme is not readily 
extended to allow more than one process to create processes for users, as is 


our model. The hierarchical scheme does not allow the security conscious user 
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to protect himself from the logger process, because the B TOBERE has complete 


control of the resources and access rights of user processes. 


Parallel Processing. 

The hierarchical scheme of process creation handles the creation of 
processes to perform parallel processing for a single user very well. Once an 
initial process has been created for an interactive user, that process can 
create additional processes for the see touvenia parallel processing. The 
resources and access rights assigned to. the user's first process can be 
distributed among these processes as needed. 

The central sehewe requires that each process be created by the 
privileged process. The privileged process may aoe provide the resources or 
access rights needed by the user, as it has less knowledge of the task to. be 
performed than does the user’s initial process. The central ‘scheme does, 
however, provide a better opportunity to conthor the total umber: of process 
in the computer utility. As foted in ehaveee four. such Sontrol is needed to 
insure that the resource controller can "Peapond: rapidly to demands for 
resources. Most current ponpurer systems impose limits on the total number of 
processes. | es | 

The model shares some of ie: drawbacks of ‘the central scheme, but - 
provides somewhat more flexibility than that ashenes> | Like the osiitral aohene2 
our model has one central resource controller that is ‘responsible for all 
resource allocation. As before, the central resource éiicsaton: must 
participate in each process creation, ‘and my not ‘provide exactly the desired 
resources. The resource controller can, however, control the mumber of 


processes in the computer utility, as in the eantral scheme. 
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Access rights tin our model, neaevens are not under control of a central 
authority. The damain changing mechanism seeeiies peine control over the 
creation of processes, and over the assignment of access rights. to . processes. 
Thus the use of parallel. processes by a user can be controlled by controlling 
access to the domain and domain gate objects for that ‘user’s domain. The 
availability of parallel processing to a user may also depend on the task to 
be performed, as the initial procedures specified by the gates into the user’s 


domain may restrict the tasks that the user can perform. 


Mutually Suspicious Subsystems. 

The pioeeabion of mutually suspicious subsystems is one of the most 
interesting and difficult computer protection problems. — Seucéeder presents a 
mechanism that allows mutually suspicious subeysteas to cooperate in a shared 
process. This mechanism does not guarantee each subsystem a fair share of the 
resources of the process, and thus one cahavetea may deny service to others in 
the same process. By providing separate processes for such subsystems, we can 
eliminate the problem of denial of service. 

The model of process initiation of this thesis is ideal for the creation 
of processes to execute mutually suspicious subsystems. The domain changing 
mechanism allows the owner of a subsystem to sontnetothe calling of that 
subsystem, while the central resource control mechanism ote the resources 
of the caller and callee to be wepacately managed. Thus neither the caller 
nor Saliee need trust the other. 

In the central scheme, all processes are created by the privileged 


process. Thus each creation of a process for a protected subsystem involves 


communication with the privileged process. The privileged process must 
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implement some control over the creation of processes for protected subsystems 
similar to that of our domain changing mechanism. There must also be a secure 
communication mechanism that allows each process. to communicate requests for 
processes to the privileged process. All protected subsystems must trust the 
privileged process i ‘provide the oovredt cess elute and rescunces: The 
central mechanism allows the caller and callee to be independent, as does 
model. - | | 

The hierarchical scheme for process initiation is the most difficult of 
the three to use for the creation of a process for a protected subsystem. 
Because in the hierarchical scheme a process is totally dependent on its 
creator to provide resources and access rights, a process cannot directly 
create a process for a subsystem with which it is mutually suspicious. Each 
process must instead appeal to some process that the subsystem to be executed 
trusts. 

Figure 7.1 shows a process hierarchy including two processes that are 
mutually suspicious. . Subsystem X (in process 3) could not directly create a 
process for subsystem Y, because they were mutually suspicious. Subsystem X 
had to locate a process that both it and subsystem Y trusted (process 1 in the 


example) to create the process for Y. 
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Figure 7.1 


Hierarchical Process Creation for Mutually Suspicious Subsystems. 


Process 1 


.Proeess 2 


As with the central scheme, secure communications are needed, and each 
process that creates processes for protected subsystems must implement some 
control scheme. If only the process at the top of the hierarchy creates 
processes for mutually suspicious subsystems, then this scheme reduces to the 
centrally controlled scheme. The hierarchical and central schemes for process 
initiation are both more awkward to use for the creation of processes for 


mutually suspicious subsystems than the model of this thesis. 
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7.2 Gonelusions About the Mode2. - 

In this section we summarize the advantages and disadvantages of our 
model. Some of these observations have been discussed at length in other 
sections and are oniy briefly mentioned here. | | 

As can be seen from the preceding section, _ the model ‘handles the creation 
of processes 26 interactive users and fob mutually suspietous subsystems very 
well. It oreyides more flexibility, than the other two schemes considered, 
while forcing users to rely on less of the process initiation mechanism of the 
computer utility. The model saotavns leas well than the hierarchical ‘scheme 
for the preci of peccense® for parettes PEOSeBALDE: The model does, 
however, provide gontrol ‘that the hierarchical aohene does not. The resource 
convrolipe of the model can easily control ‘the total number of processes so 
that it can respond at a to changing | resource requirenents, and the donaiti 
Shang ing. mechanism can be used to control the tasks for which each user aged 
use paral te) processes. ae . | . | 

Another benefit of our model is that it separates the. eachanieus “that 
perform the five Pmoeions previously identified: Process creation, ¢ domain 


a 


changing, authentication, resource control, and environment initialization. 
This separation allows naaels function to be implemented in a small program 
eodute: independent of the other Punct long: The atructare achieved by using 
smal] sHeepensent modules is eney hod Webesy and easy to modet y's 

The model ated shows the Baourtty constraints ‘that can be violated by the 
programs that implement each function, Thus | we can ‘clearly see which of the 
modutee must be certified correct in order ko achieve. the security goals of a 


sey 


Aen ayateu: In the test tuplenentation for the Multios computer utdlity, we. 
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saw that the size’ and complexity of the programs that must be certified to 
achieve the security goals of Multics are both reduced PA the daplesentation 
based on the model. | 

Another benefit of ihe  woaWlavtaution of He nodel is that it allows any 
process to create processes. Unlike the “nterarchical scheme, the sets of 
resources and access rights of a process are not restricted to be subsets of 
those of the creator of that process. Thus any: application that requires the 
creation (of processes can easily be implemented ina computer ube Eaty geore 
our model, without eeeryane the process creation 1 mechani, or the sacupity 
kernel. | | | 

One of the primary drawbacks of the ited is the problem of maintaining 
the domain and domain gate objects for the domain changing eechantes in an 
efficient manner. In our test implementation, we “chose to use very simple 
management techniques that wasted: a large amount of storage. Objects with 
small representations are inefficiently Supported by current hardware 
technology. This forces the implementor to abaridon the hanauake srotectiion 
mechanism for small epee if they must be efficiently da omenteal 
eroveaine equivalent protection in aor eware greatly increases the size and 
Soap vexity of the programs that manne’ such objects. / Newer hardware 
creanizations, such as that of the CAP processor twa73i, make better orevieon 
for small objects. | . 

A second drawback is that the senbtete onovided by the adel over process 
initiation may be somewhat awkward to use. | tbe ona in the test aepiementetton 
that the hierarchical access control mechanisn of Multies made it difficult to 
give each user complete eontrot of his home detain: | Each user must be very 


careful in creating donate and gates. The accessibility of all of the 
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directories above a given object must be considered te determining the 
accessibility of that object. | . | 

The initial procedure of a domain must ‘also be carefully coded to ensure 
proper use ‘of that domesn. The ecehentibakion forwarding mechanism allows the 
initial onodeaune to trust a central authentioation nechanisn to ensure proper 
use of the domain. Our model achieves a smaller and simpler security kernel 
by allowing the user to protect himself. oe chete isa greater prebeba tay 
that the protection facilities of the computer utality will be misused and not 
provide the desired security Sonabradintes | 

Finally, the argument that authentication aa sa pdvoneant iit talieat ton 
ean be removed from the security Gensel in Slircmodel is somewhat deceptive. 
Clearly, in the test implementation the seourtey of the entire system deoendd 
on the authentication and énvinonnent initialisation pectennes by the initial 
procedure used to enter the Locksmith domain. . The existence of such 
privileged domains forces all users to deperid on the programs that exeoute in 
those domains, much as the security of the entire systed is dependent on the 
compilers and editors used to produce the prograns of ‘the security kernel. 
The privileged domains are datrequently ised: and auditing the use of 


orivileged domains may be sufficient to provide security. 
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7.3 Topics for Further Research. 

This thesis ‘leaves several problems in the area of process feat dabton 

dhsoRwel: In this section, we briefly describe those problems. 

| Our model identifies five independent functions of process» initiation. 
The test implementation demonstrates one way in which these five functions can 
be coordinated to perform process initiations: We did not explore scbeinively 
other organizations. (One such organization would require that each eer 
begin execution in the domain of its creator. All domain changes would be 
accomplished by cross-domain calls. Sueh an organization way provide an 
implementation of process initiation that is even simpler than that snssen for 
the thesis. ) | | 

This thesis did not consider many of the problems associated with 
allowing users to create processes. We did not present a resource control 
scheme to insure that receives a fair share of the available resources, 
independent of the number of processes that he is iniag: The resource control 
mechanism of Multics does not provide this qiarentes. bavelopine such ‘: 
resource control scheme, and dopouateesine that it can be sepienented in eek 
process initiation structure word be an dnterentinn research project. 

The thesis presents a novel authentication wcnoud for sentlnewent 
systems. The test implementation did not test some of the ideas presented. 
In addition, it is not entirely clear how this scheme interfaces with 
authentication mechanisms based on encryption. A recent masters thesis [Ke76] 
investigated the use of encryption in providing secure communication channels. 
The protocols developed fit well with the authentication scheme of this 
thesis. Some further work may be needed, however, to bring together all of 


the ideas about authentication in these two theses. 
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APPENDIX A > 
DETAILS. OF THE IMPLEMENTATION 


This appendix presents a more - detailed description -of..the test 
implementation than is given in the text... The appendix is organized in 
sections, each section devoted to one-of the funetions of proceas. initiation 
discussed in the text. Each section describes tae programs t#at implement the 
corresponding function and the data structures::tmat..are used by’: thase 
programs. 

Each of the programs described is a PL/1 procedura,: possibly «ith 
multiple entry points. The function performed by each entry point is briefly 
described, along with the function of the entire program. The contents of: the 
data structures are described, but not the detailed format.) ; e 
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hphes_$create_proc: 

This is the entry to the programs that actually create processes. As 
stated in the text, this funetion. of process initiation was taken from 
the current implementation. This program takes two data structures as 
arguments, crepte info, and pitmsg. The create thfo ‘structure describes 

the process tobe created and is: desoribed: below, while the pitmsz 
structure is not used during process creation and is passed to the 
programs that perform environment initialization. The pitmsg structure 

i will therefore: be described in the environment ihitialization section. 


Pata Structures: 


ereate_; info. . 
The create_info trinture eontains the following information: 


Principal ID for the new process, 
Initial and highest ring numbers for process, 
AIM clearance for process, 


Maximum AIM clearance for process (not respecting the limit requested when 
the process was created), 


Audit checking flags, 


Process ID for new process (half specified by creator and half filled in by 
process creation), 


Process ID and trouble report channel, 
Pointer to and length of the pitmsg structure for this process, 
Record quota for storage in the process directory for the new process, 


Location and maximum length of the linkage offset table. combined linkage 
segment, and known segment table for the new process, 


Scheduler work class for this process. 
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Environment Initialization. 
Programs : 


user_init_admin_: 
This is the first program that gets called - the user ning ina newly 
created interactive process. ‘It is an assembly: ianguage program. whose 
only funetion is to call user_real_init_admin_ and process_overseer_. 
These calls are performed because the first program called:in a process 
cannot return until the process terminates, and therefore leaves a frame 
on the stack for the life of the process. As . much..of:; the « work . of 
environment initialization as is poe aeyie is done =a programs Phat ean 
return and thus release their, stack: frames... .. «:: Ge 

user_real_init_admin_: 
This | program. obtains a pointer to the pitmsg structure for the . proagss. 
(This structure was placed in the process directory by process creation). 
The program also initializes the process’s communication wkannel to the — 
user that requested the process, and finds the system process_overseer_ 
program, or a user specified process pyerseen, -.user.geel_ init admin_ 
also establishes error handlers for certain error conditions that are 
handled by the same programs througeout.:.tee:; life: of. the, process. 
user_real_init_admin_ makes use of the information ue ene piteeg date 
structure that is described below... .. yo eeda di. ag ; 

process_overseer_: a Be 
This is the standard initial procedure for datepagtive processes. It 
first establishes a handler for any.error; cenditions. :+bes- occur. during 
the life of the process and are not handled by other proggams; Then, it 
scans the list of forwarded authentications for the communication channel 
of the process. If an authentication. that«: was: perfomsed: either by: a 
trusted system procedure, or by a process with the same Principal ID as 
that of the new process can be found, and if that authentication 
identifies the correct user (the one who matches the first component of 
the Principal ID of the new process), then execution proceeds. Otherwise, 
the process is terminated. 

If the authentication check is successful, then process_overseer_ 
prints the system message of the day, and executes the users "start up" 
commands. process_overseer_ then ealls the command listener to wait for 
commands from the user. 
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Data Structures: 


pitmsg 
The pitmsg structure contains the following en icrmay ton. 


Process type (tateractive sheen ter or: daewon), 
Home directory, 
sENOOORS creation ‘time, 


Login tine (aay be different from above if several process are created for a 
session with one user), 


Login line, 
Name of copmina> channel, 
~° 17G-podule needed to: use terminal channel, 
as access class of terminal channel, 
svete control attributes of this process, 
Load control information for this process, 


‘Summary of previous weage of ‘the Drocesses account (supplied by the resource 
Contronsery) 


Additional dnpomene Con for absentee processes. 
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dm_ is a gate. used to call the ‘domain and domain gate ‘object wanagers. 
Below is a list of the entries to dm_ and the. programs that«they call. 


entry program called 
dm_$create_domain domain _manager. | $create.. domain i 
dm_$create_gate domain manager, "tors ibe gate hoe 
dm_$interpret_domain domain_manager_ _$interpret_domain — 
dm_$interpret_gate domain_manager_$interpret_gate 
dm_$delete_domain domain_manager_$delete_« oegeeie. 
dm_$delete_gate domain_mhanager $ielete_ga 
dm_$add_dom_acl_entries’ domain anager “$add_ dom: Bal entries 
dm_$add_gate_acl_entries domain_manager_ ate_aci entries . 
dm_$delete_dom_acl_entries domain “manager _§ onite e_dog_aci.s entries 
dm_$delete_gate_acl_entries domain manager | enels ayy aalsatrtos 
dm_$list_dom_acl domain Tnanaget sl ist 3 
dm_$list_gate_acl domain _mahager_ $list fomsa hi 
dm_$replace_dom_acl domain_manager_$reé jace_dom_acl 
dm_$replace_gate_acl domain_manager_$f Place _gateacl 
dm_$make_process tositeteecstee pinifiate. ,process, 


domain_manager_: os 
This program is the manager for abjecta’ of type. domain, and. domain. gate. 
The program has several entry points ‘that allow thé creation, deletion. 
and access control list manipulation of these objects. The progrgm | uses 
the domain, domain_gate, and domain. Ais” stricta “eR fegonited ‘be. low. 


domain_manager_ _tcreate_, domain: aes de ee, ae 

This entry point creates a domain ‘object. The sitey’ point Cabse the 
directory pathname and entry name desired for the domain object to be 
created, the desired ring number, and the desired Principal ID. The 
Principal ID is checked to insure that it does not duplicate a previously 
specified Principal ID in any component. For this purpose, 
domain_manager_ maintains a list of all Prinoipal IDs ourrentily in use in 

- the domain_list data base. . If the Principal ID is acceptable, then a 
segment is created in the specified directory with the specified entry. 
name suffixed by ".domain". This segment is accessible only in ring one 
and contains the domain data structure described below. 


domain_manager_$create_gate: 
This entry point creates domain_gate objects. It takes as arguments, the 
directory and entry name for the desired domain gate, a list .of domain 
objects that determine the Principal ID of the gate, a ring number, an- 
AIM authorization for processes created with the gate, and the name of an 
initial procedure. If the set of domain objects correctly specifies a 
Principal ID, then a segment is created in the desired location with the 
desired name suffixed by ".domain_gate". This segment is accessible only 
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in ring 1 and is used to contain the domain_gate structure described 
below. The gate specifies the given initial procedure, the maximum of 
the caller’s ring, specified ring, and the ring contained in each of the 
specified domain objects. The AIM clearance specified by the gate is the 

- minimum of the caller’s clearance, the. specified clearance, and the 
clearancés of all of the domain objects. 


domain_manager_$interpret_gate, 

domain_manager _$interpret_ domain: 
These entry points return the information contained in domain and domain 
gate objects, provided ‘that the caller has the proper access (p for 
gates, and c for domains). 


domain_manager_$delete_domain,. domain _manager _$delete_gate: 
These entry points delete domain and” domain_gate objects. 


domain_manager_$add_dom_acl entries, 

domain _manager_$add_-gate_acl_entries, 

domain_manager_$delete_dom_acl entries, 

domain_manager _$delete_gate_: acl entries, 

domain_manager_$list_dom_acl, 

domain_manager $list_gate_acl, 

domain_manager_$replace_ gate_aci, 

domain_manager_$replace_dom acl: 
These entry points perform ACL manipulation for domain and domain gate 
objects. _ They have similar interfaces to. the. entries. in hes_ that 
perform ACL manipulation for segments, 


ecreate_domain, create_gate, delete domain, delete gate,  status_, domain, 

status_gzate, list acl_domain, list_acl_gate, set_acl_domain, set_acl _gate: 
These are all entry points to. a program that implements - user commands. for 
andetagic domain and domain gate objects, | They. will ‘not be described 
in detat 
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Data Structures: 

domain: 
The domain structure is used to implement a domain object, and contains 
the following information. 

Person component of Principal ID for this domain (*# means unspecified), 

Project component of Principal ID for this domain (* means unspecified), 

Ring number of domain, 

Creation time of domain. 

domain_gate: 
The domain gate structure is used to implement domain gates and contains 
the following information. | , 

Person component of Principal ID of the domain of the gate, 

Project component. of the Principal ID of the domain of the gate, 

Ring number of the domain of the gate, | | 

AIM authorization specified by the gate, 

Initial procedure of the gate, 

Flag indicating whether or not the initial procedure should be called before 
the I/O attachments and static condition handlers of the rene are 
initialized (before user_real_init —admin_ ids called). 

domain_list: os oo ; 
The domain_list structure is used to keep a record of the Principal IDs 
currently in use. It has a header that..contains a loek and the number of 
entries. Each entry contains the following information: 

Person component of the Principal ID, 

Project component of the Principal ID, 


Pathname of the domain object that specifies this Principal ID. 
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thentication F 
asm | 


~ asm. is a gate used to access the authentication ‘forwarding mechanism. 
Below is a list of entries to asm. and the programs that they call. 


entry. program called 
asm_$tty_assert assertion _manager_$tty_: assert 
asm_$tty_read_assertions assertion_manager_$tty read assertions 
asm_$tty_delete_assertions assertion_manager_$tty_: delete. assertions _ 
asm_$ncp_assert assertion_manager_$nop_assert _ 
asm_$nop_read_assertions assertion _winager_$nop fead_assertions 
asm_$ncp_delete_assertions assertion_manager  giiep “detete_; assertions 
asm_$priv_net_assert assertion_manager_$priv_net_assert 


hes_, net_, netp_ : 
These are the gates through which the primitives that manipulate local 
terminal channels and ARPA network channels are reached. Several entries 
in these gates’ were changed to call’ entries tn rttty_ instead. This is 
done to maintain the index data bases used by ritty_ » and to notice when 
these channels are connected and: “@iscénhected. ‘The following entries 
were changed: 


entry program called 
hes_$tty_index ritty_$tty_index 
hes_$tty_order ritty_$ety order 
net_$ncp_activate ritty_$ncp_activate 
net_$ncp_connect : ritty_$nep_connect 
net. $nop. order pltty_¢nep_ordér © 
netp_$priv_net_activate rttty_ Sprivis nets potivate ; 
assertion_manager_: oe bad sa _ 
This program manages forwarded \ patneitasattons: It does s0 by 


maintaining a segment for each channel connected to the system containing 

_ the forwarded authentications for that’ ohatinel.°° The format of these 
segments is described by the assertion_seg data base. These segments are 
kept in ~ the °° directeries® >system.. , oontrol. 4>assertions>tty_seg, and 
>system_control_l>assertions>ncp_seg, and are accessible only in ring 1. 
There are three entries to assertion _manager_ for each function, one for 
local channels, one for network channels, and one for privileged 
manipulation of network channels. 


assertion_manager_$tty_assert, 

assertion_manager_$ncp_assert, 

assertion_manager_$priv_net_assert: 
These entries record forwarded authentications. They take as input the 
name of a channel, the asserted user name, and an uninterpreted string of 
"extra" information. They call entries in ritty_ to translate from the 
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name of the channel to the index for the channel needed to determine the 
state of the channel. The state is then obtained in order to insure that 
the caller has access to the channel. and that. the channel is still 
‘connected. If these conditions are met, the forwarded authentication, 
along with information identifying its author, is . recorded in the 
assertion_seg for the channel. 


assertion_manager_$tty_read_assertions, 

assertion_manager_$ncp_read_assertions, 

assertion_manager_| $priv_ net_read | assertions: 
These entries extract the forwarded authentications for a channel. They 
take the name of a channel, and convert and verify. it. as. above. If the 
channel is accessible, as many forwarded authentications as will fit ina 
list supplied by the caller of assertion_manager_ are returned, along 
with a count of the total number of forwarded . authentications present. 
If the verification of the specified, channel reyeals that. the channel is 
disconnected, the assertion_seg for. that channel .is eerenedy: -and an error | 
code is returned. 


assertion _manager _$tty_delete_assertions, 

assertion _manager_$nep_delete_assertions, 

assertion_manager_$priv_net_deleté_. assertions: 
These entry points delete the forwarded. authentications. for a. channel. 
They are provided to allow any program that detects that such 
authentications are no longer valid to. delete... them. The . same 
verification procedure is used as before, ‘and the appropriate 
assertion_seg is deleted. 


ritty_: a 
This program serves two purposes. First, it maintains data bases to 
translate between channel] names and channel indices. Second, it notices 
requests to connect channels and calls assertion_manager_to delete the 
assertion_seg for any successful attempt. It maintains two data bases, 
>system_control_1>ncepxs, and >system_control _ >ttyxs, that are described 
below. 


ritty_$get_ttyx, ritty_$get_ncpx: . 
These entries obtain the index for a channel name. If the named channel 
is not known to the system, an index of 0, which is invalid, is returned. 


ritty_$get_tty_name, ritty_$get_socket_num: 
These entries return the local channel name or network socket number of a 
given index. If the index is invalid, an invalid name or ‘socket number 
is returned. 


ritty_$tty_index, 

ritty_$nep_activate, 

ritty_$priv_net_activate: 
These entries record the index assigned to a channel name. They call the 
supervisor to obtain the index. 
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ritty_$n$tty_order, ritty_¢nep_order, ritty_$nep_connect: . 
These entries check for orders to connect channels. If such an order is 
made, the assertion_seg for the: channel is. deleted by. a call to 
assertion_mana@wer.. - 


Data Structures: 
nepxs, ttyxs: 
These two data bases are used to maintain the index Eesping: Each 
contains a lock, a length, and a list of entries giving the name for each: 
index currently ir. use. 
assertion_seg: ae 
An assertion_seg is maintained for each | channel with forwarded 
authentications. Each asSertion_seg contains a lock, the number of 
forwarded authentications, followed by a list. of forwarded 
authentications. Each forwarded authentication contains the following 
information. 
Time of recording of this authentication, 
Principal of the recording process, 
Process ID of the recording process, 
Ring number of the recording process, 
Authenticated user Dame, 


Extra, iclabenmpatea information supplied. by the | author of the forwarded 
authentication: 
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Resource Control 


Brograns: 


Bete 


t he Afar) & 


user _ process _manager oe 

The current implementation of resource control f for Multios was adapted to 
run ag...,.the.. resource. _ contro}ler,,. of... new, ABR engaotat on. 
user_process_manager_ acts as the resource gether for | the new 
implementation. It calls on the resource control programs of the old 
implementation to. Rerters specific resource control. ser eee: some. of 

_ those .. programs . are | betes ays described .. tn: this. “geotion. 
user_process_panager, ; and ‘all ‘of. e., 9 "PER bas 8, the. resource 
controller make use . of, a ‘data.bage | atte as the apaver,,. table... tits table 
contains entries for each process describe. that, £ PES eas. 8. Pegource 
limitations and allow the resource controller to. obtain e resource 
usage statistics for that process. In addition, some.of the programs 
make. uge of the system, administrators table (SAT ». ¢PRESON- nape: jp bable 
(PNT), and project ee tattion table. (pot). ese data bases contain 
resource control parameters for projects, users, and specific 
user. peodeek: paansna sient. : eer ee 


user_process_) nana pupa pm init: oo ore 
This entry anager zes the regource 9 cad. sda tae’ Siri nation 
for process initiation to cat ong per as the resource control 
process and to abort any process initiation —, in PRORRPRS: « 


user_process _manager_ ‘$upp_pequest: : Pe Ly eget tele UR os 
This entry ‘point’ responds to a “rodiibst te creste . “a. prdcead: It 


Pra 


fund the progess.. and fo. begin. accounting pr: and. vpemory 


on other resource control programs to verify that. spies de. fr aeoount _ to 
bok aay -oatiga to 


usage by the new process. — ‘Eventyally, - ~ the 
finish the creation of the new process. 


_user_process_manager $upmevent: Fae 
this entry point responds to events relevant to. ‘a.process eine that 
process has been created. It is invoked when messages are recieved from 
a process’s trouble report event channel, which are used £9., report — 
‘Processes thet. have; become damaged .or . Rave, , her pated... {tis also 
invoked when obber. + Pesource,. ‘egatroller programs dec He, 50 termigate a 
process. If the AIM rules allow, . Ser, pro 5g, manager, 1 orwards . messages 
that it recieves for a process to the trouble report channel precited by 
the creator of that process. 


apply to a particular liga It ‘applies ‘she Lait spine in these 


entries to determine. whether. 01 tp oogas, under. conalder atipn~ will 
be created. It also maintains a “base ALL BPS ssnes, can read 
that contains a list of all currently executing processes. ig ct)_ calls 
load_ctl_ and act_ctl_ in order to insure that the proposed process . will 


mot. overload the,. system and. that it. Umar RARER ta, Fuad. dts. GPU" and 


Appendix A ny eng aie Page 113 


fe 


memory usage. There are two entries to lg_ctl1_: lg_ecti sual in, which 
is called by user_process_manager_ to check a process before it ts 
created, and lg ctl_$logout, which records the termination of a process. 


load_ctl_: is ees 
This program limits the number of procésses on the system at any one 
time. ae ¢ ee : ; 


load_ctl_$load_« etl ee Sl 
This entry Soiee: is called by le_etl_! ‘for each requést to create a 
process. “It decides whether or not to aliowthe- ‘New process to be 
_ ereated, and whether or not” to, “preempt, existing | ‘processes © for the 
proposed new process. 


load_ cetl_$unload: re 
This entry point is called to record the termination of a provess. 


act _ctl_: a 
This program records the resource usage of ail processes. ‘The resource 
usage information for a particular process is maintained in the PDT entry 
corresponding to the person and project of* ‘that’ ‘precdases Principal ID, 
There™ are: ‘several entry ‘points ‘to act etl. 


act_ctl_$check: 
This entry point checks to see that a valid account exists for a proposed 


process. It also checks that the account wt a proposed. process is not 
. yet, ‘out of funds. 


act_ctl_$open_. account: ia ace. “i 
This entry point. opens an account for ‘updates. It must be called before 
account for a protvess can be initiated, : ; 


act_ctl_$ep | | 
This entry point instructs act_ectl_ to begin monitoring the resource 
usage of a provess. lpeme a one 


act_ctl _$update: 
This entry point updates the resource ‘usage statistics for all processes 
being monitored.  It'is called periodically’ in’ ‘order to keep” ‘fecords up 
to date in the event of i a system failure. 


act_ctl_$dp: . 
This entry point informs act_ctl_ that a process has terminated and that 
it should no longer monitor that process. 


act_ct]_$close_account: ee ; 
This entry point closés an account and makes’ it unavailable for updates 
until it is ‘he-opened. 


CPR: | ona | | 
. This program constructs the create_info and pitmsg structures for a 
process. It fills in the resource control control items in both 


Page 114 Appendix A 


structures from information available in the answer _table, SAT, PNT, and 
PDT entries for that process. 


Data Structures. 


answer_table: 
The answer_table contains one entry per process. and is used to record 
information about that process. It also has a header © that contains . 
miscellaneous information and will not be described. “Each ‘answer_| table 
entry contains the following information: 


A state, that indicates whether the entry is free, in use by process 
initiation, or used by a process that has already been created, 


The sizes and locations of the linkage offset table, combined linkage 
segment, and known segment table for this process, 


The trouble report event channel, 

The process ID of the process, 

The time at which the request for this process was received, 

Miscellaneous sek pibutes of this process, a 

A pointer to the PDT entry for this process, 

The scheduler work class for this process, 

The person and project components for this process, — 7 

The name of the initial procedure for this process, 

The time of the last account ing update of this. process, 

The CPU and memory usage of the process up to the Tast update, 

The time to wait before preempting this process for another. 

SAT: 

The SAT has a header that contains parameters used by load_ctl_ to 
determine how many users to allow on the system. In addition, it has one 
entry per project that contains the following information: 

Project name, 

Pointer to PDT for that project, . 

Number of users authorized to use this project, 


Maximum number of such users, 
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PNT: 


Miscellaneous limits on users of that project, 

Default load_ctl_ parameters for processes from that project. 

The PNT is a. ist of ‘all: of the users: who. may use Multics. It has one 
entry per user, ‘that contains ‘the. following an mation: 


AIM authorization for this user ‘and ali his processes,” 


eae 
eee oc 


_ User name. 


PDT: 


There is one PDT data structure for. each project... Each PDT contains 
entries describing the users who may use “that project and charge to its 
account. Each of these entries has the following format: . 


Name of user, __. 


mos Lid Fluted re ee He Me, hae G 
Number of processes that the user currently, hag, oo... 


Miscellaneous limits on the user. ‘s, PEOSASPP Sy vert on 


Limited initial procedure for user. fan | be... specified by. the,. project 
administrator to limit the user *s resource consumption. this does not 


_ force the user to use .that, initial procedure, but, denies him the . use of 
the project unless he “does), Beye twa tee ge, ee 


Default home dircotory ‘Cised oniv if Sroceus ‘Greater doesnt’ specify a “home 
directory), Te TT a nt | dh : es ; 


AIM authorization for users processes, 


Summary of the resource usage of the user in the project. . . 
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Coordination. 
Programs: 


proc_creat_: wera a ee 
proc_creat_ is a gate used by the resource controller to call the 
coordinator for process initiation. It is accessible. only to valid 
resource controller preceases. Below is a list. of the entries to 
proc_creat_ and the prograns ie they ae 


entry . pcbgrain: called 
proc_creat .$initialize initiate_process ginitialize 
proc_creat_ $notify . initiate_process_$notify 
proc, creat_.$create saree deanna ae in 


initiate_process_: 
initiate_process_ is the program that provides gooratantson among the 
‘modules of. process initiation. -Thia- program assembles: create_info and 
pitmsg structures, to be used .in creatizig a ‘process, from data supplied 
by the domain changing mechanisn, the resource contreller...and the 
process that requested process initiation. . There. are. four entry. points 
to initiate_process_ that are described below. 


initiate_process_$initiate_process_: 
This entry point begins process initiation. . It..can be called. by any 
process (through the dm, gate) and. takes three anguments: a..oreate_info 
structure, a pitmsg structure, .end. the name. of a domain gate object. The 
entry point dm_$interpret_gate is. called to determine whether or not the 
calling process has "p" access to the gate, and to extract: the Principal 
ID and initial procedure from the gate. The supplied pitmsg and 
create_info structures are then copied to a-: protected segment so. that 
they.. cannot be changed while. the resource aontrelier. decides whether or 
not. to allow the process to be created... Parameters from these: structures 
needed by the resource. . controller. are..then placed. in .a- prirg...data 
structure and sent to the resource oontroller. Aghrough the use of the 
Multics message_segment facility). 
initiate_process_ then waits for a message from the resource 
controller, or a timeout. Because initiate_process_ executes in ring 1, 
this effectively blocks the creating process until the resource 
controller is finished. This blocking reduces the chance that the 
creating process will terminate before process initiation is complete. 
(The implementation recovers from such an occurance, but it is unpleasant 
and clearly undesirable.) The signal sent by the resource controller 
contains an indication of the success or failure of the attempt to 
create a process. On receipt of the signal, initiate _process_ returns to 
its caller. If the creation was successful, then the creating process 
must send a signal to the created process in order to begin its 
environment initialization. A new process is blocked until it receives 
such a signal so that the creating process can pass resources (terminal 
channels in particular) to the new process before environment 
initialization is attempted. If the creating process does not send such 
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@ Signal, the resource controller will do so eventually to prevent the 
new process from staying blocked indefinitely. initiate_process._ 
maintains a list of all pending process initiation in the pending creates 
data structure described below. 


initiate_process_$create: 

This entry point is called by the resouree controller to finish the 
creation of an approved process. The armiments to this entry point are a 
create_info structure, a pitmsg structure, and the index of a process 
initiation request. The pitmsg and create_info structures supplied by 
the creating process for the specified request are found and compared 
with those suppiied by the resource controller. All of -the entries that 
represent information supplied to thé resource controller in the pr_rq 
message must match. This matehing is done to keep the resource 
controller from becoming confused when requests are timed out by the 
creating process, and because some of the resource controller programs 
replace unacceptable parameters in a process creation request rather than 
rejecting the request. The resource control attritutes are then taken 
from the resource controller‘s pitmsg and create_info data structures and 
placed in the structures copied from thosesipplied by the creating 
process. lphes _$create_proc is then oalled to ‘create the specified 
process. If the creation is successful, then a signal 4s sent to the 
creating process. 


initiate_process_$notify: 
This entry point is used by the resource controlier to abort an 
unsatisfactory. request for process initfation. I¢ takes as arguments an 
error code and a request index. The error sode is— eee to the 
creating process for that request. 


initiate_provess_$initialize: 
This’. entry is used by the resource controller to initialize process 
initiation. It aborts ali pending requests for processes and establishes 
the calling process as the resource. sostrorien (30 that the signais will 
be sent to the: proper process). 
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Data Structures: 
pending creates: 
The pending creates data base is used by initiate_process_ to keep track 
of process creation requests that have been aignalled to the resource 
controller and are awaiting approval. .-It.has.a header -that. contains the 
following information: , 
A lock to prevent simultaneous access, 
The process ID of the resource controller for signalling, 
The next index to use for a process creation request, 


The location of a directory in which to keep pitmsg structures. 


pending creates also has one entry per pending eneauest These entries 
contain the following information: 


A flag indicating whether or not this entry is in use, 
The time at which this request was made, 
The index of this request, 


An event channel to be used for signalling from the resource controller to 
the creating process, 


‘The process ID of the creating process, 

A copy of the create_info structure supplied by the creating process with 
attributes obtained from the domain gate replacing the aorrearone 
attributes supplied by the creating process. 

prirq: 
This data structure is used to pass a request for process creation from 
the creating process to the resource controller. ‘It contains the 
following information: 

The index of this request, 


The trouble report channel specified by the creator (the resource controller 
forwards trouble reports to ents ehannel), 


The process ID of the oreator, 
Principal ID desired for the process, 


Home directory for the process, 
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Initial procedure for the process, 
Initial and highest ring numbers for the process, 


Requested AIM authorization (minimum of authorization in the domain gate and 
the authorization requested by the creating process. 
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dialup_: 
This. program creates, processes for. users ae. She TTRLNET: Soabccsl of the 
ARPA network to use Multics. It. is..dnoluded. inthis: description of 
process initiation as an example of how the process initiation mechanism 
can be used. . 


dialup, $attach: : : 
This entry causes dialup_ ae use a network civtiel terminal channel. “the 
number of such channels .in use at.,.omee determines. the number:” of 
simultaneous TELNET connections that can be supported. When a new TELNET 
connection is made to Multices, one..of. the: unused’ virtual terminal 
channels is selected to.be used for that connection. 


dialup_$dialup_: 

This entry point is called whenever a. _signifioent event: occurs for a 
terminal channel. dialup_ sends a greeting message to newly connected 
channels, and waits for a response. The response is: parsed:.as.ia login 
line and the name of a gate to be used to create a process is determined 
from that line. Additional information: in: the login line:is used to: fill 
in create_info and pitmsg structures for a process. dm_$make_process is 
called to create a process, and.if sueceseful, control of the virtual 
terminal is granted to the new process before the new process is 
awakened. 


dialup_$process_event: 

This entry point is called when a message is received from the trouble 
report channel of a process created by dialup_. One of four possible 
actions is taken, depending on the contents of that message. The 
terminal channel can be hung up (if the process terminated voluntarily). 
Another process can be created for that terminal (if the message 
indicates that the previous process was damaged). A new greeting message 
can be printed and a new login line accepted. Or, an error message can 
be sent to the virtual terminal, if the trouble report message indicates 
some error, or is invalid. . 
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Data Structures: 


page structure is used internally by dialup_ to keep track of the virtual 
terminal channels currently in-use. > Ie trie | cone’ ‘entry for each such 
channel which wontet ne we Sortowing Anfareietach : 
Terminal name (of the form eee 
Terminal state neater expected, tosss eae exper’? or hangup expected), 
pages state (nao process, process being created: process executing), 
- Event chansiet for terminal channel events, . ae 
Trouble report channel for process, _ | 
_ Error eode for: ee ee for’ ‘this et “ 
“Index for this “channel, test 
Person: eal Project for. this channel. 
«tibiae directory (taken fro opin Line), oe 


Gate name. 
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